Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1559 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Should Sophos detect DNSChanger

StephenP3
Does Sophos detect the much publicised DNSChanger malware? We discovered one of our servers to be infected this morning and our MSP is claiming it's not detectable by standard antivirus. As far as I'm concerned, the presence of this one piece of malware could be indicative of a more widespread problem Knowing whether Sophos detects DNSChanger, and if it does how long it has, would be a massive help. Thanks.
:26845


This thread was automatically locked due to age.
  • 0

    Hello StephenP3,

    not knowing what exactly infected means in this context and without any details I can't comment on the particular incident. I can give you some pointers to the analyses (.../DNSChan-xx and .../DNSCha-xx) as well as a few articles on nakedsecurity.  As you see, it has been around for some time now and is by no means unknown to Sophos.

    Are you a Sophos customer? If so, you should contact Support to analyze the situation. But even if you aren't they might be interested in you findings.

    Christian

    :26865
  • 0

    Hi Christian.

    Many thanks for your reply.

    I'm aware my post is relatively ambiguous and more details required.

    We are a Sophos client, although our antivirus solution is managed by our managed service provider.

    Our managed service provider have simply said that one of our servers (a particularly sensitive one) was infected with DNSChanger malware and that they've removed it using Hitman Pro.

    They claim that the malware is / was undetectable by our antivirus, but seeing as it has been 'in the wild' for so long I find this hard to believe.  I am also extremely concerned about the possibility of further malware and / or viruses present on our system, seeing as this was sitting on our system undetected.

    Thanks again for your response.  If I can garner any further information then I shall share.

    :26873
  • 0

    Thanks for the response. If you allow some further comments ...

    our antivirus solution is managed by our managed service provider [...] They claim that the malware is / was undetectable by our antivirus

    Sounds like they don't like Sophos :smileytongue: - or are at least indifferent. 

    Can't really guess what's included in managed. If I would find some (alleged) infection I'd take it to Sophos Support immediately and (perhaps with their help) assess the situation. If there's an active component I'd try to obtain a sample and send it in. Most of the time Often you don't know how you contracted this something. Thus if your AV is from vendor A and you used a tool from vendor B to remove this something you are still unprotected against this threat (unless someone else sends a sample to A or A happens to acquire it by other means - not all vendors exchange samples).

    Maybe I'm misunderstanding what you've said, but you've had something, your solution didn't catch it, we've taken care of it sounds a little bit, err, dogmatic. If they think another solution (perhaps the one they use) is better or preferable and they only reluctantly support "others" they should say so. As I said, I might be wrong - but I've seen/heard "we usually do A, B and C, or if you insist we can also do D (but actually we like A best)" more than once. Long term it doesn't really turn out all right for any party.

    Just my two cents

    Christian       

    :26875