Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 17399 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting email alert but no machines showing as having virus / malware in Enterprise console

nwblue

Hi  we have just installed Sophos Enterprise console 5.2.0.644 (have been using enterprise console 4.5).

Since this has been installed (2 days) we have been getting SAV email alerts for a few machines with the message below, but these machines are showing with a green icon and same as policy in the enterprse console and there are no mahine with alerts at all.

Shouldnt the machine be showing  with an alert in the console?

User: NT AUTHORITY\SYSTEM

Scan: On-access

Machine: xxxxx

File "C:\Windows\Temp\TMP00000166B7184A7E24C3AE5D" belongs to virus/spyware 'Mal/VBDrop-G'.

:45161


This thread was automatically locked due to age.
  • 0

    Hello nwblue,

    Shouldnt the machine be showing  with an alert in the console?

    not a pending one if the threat has properly been dealt with (dunno if the action is always included or reported in another mail). Double click the computer name to view its details - the detection and action should be under History. Also an appropriate Report should list it.

    Christian

    :45165
  • 0

    Thank you Christian

    I can see the history on a couple of machines saying the threat had been cleaned but not all. 2 machines we have had the email for just show that they have updated successfully. We have only had this verion installed for 2 days and I am wondering if there has been something left over from the old console which has now been uninstalled after 5.2 updated the clients (different servers)

    I will monitor

    :45167
  • 0

    Ive just had another email alert for another machine (same virus/spyware 'Mal/VBDrop-G'.) and the history of the machine only shows updates, the path for the file is always C:\windows\temp 

    running a report in the console doesnt show these alerts so Im confused whats detecting them and worried they arent being cleaned.

    :45173
  • 0
    Hello nwblue,

    please inspect the clients' logs - the detection should be recorded there. The mail is sent from the clients and the detection might not be sent upstream to SEC. My first thought was blocked download - doesn't usually go to SYSTEM's %TEMP% though. Anyway, the logs should tell more. As for cleaning - just check whether the file is there or not.

    Christian
    :45175
  • 0

    Hi Christian

    Thank you again for your help. I have checked the logs on one of the machines and it shows the detection of Mal/VBDrop-G but doesn't indicate if it was quarantined or cleaned. I have attached 2 logs for the machine.

    I am very grateful for the help you are giving :-)

    :45209
  • 0

    Hello nwblue,

    I daresay this is not correct. Looks like the scanner changed its mind halfway through and neither alerted SEC nor indicated an action. I suggest you contact Support directly - run SDU and submit the output with your query (you can also refer them to this thread). Is the file still there? If so, you should also send a sample to Sophos.

    I notice occasional 0xa0040202 errors. These too should be investigated (although they don't seem to be reproducible).

    Christian

    :45213
  • 0

    Hi Christian

    Yet again thanks for your help. I have submitted a report to Sophos.

    as regards the other erros you mentioned they are all for known software so I will submit these to sophos as well to see why we are getting those errors.

    :-)

    :45219
  • 0

    Hi nwblue,

    Did you get this issue resolved through support?

    I am experiencing issues similar to this at the moment and have had an open support case fo ra couple of weeks now.

    Cheers,

    David.

    :47185
  • 0

    Hi David

    We have  tried a lot of differnt ways of capturing the cause of the alert but havent got anywhere as yet. Sophos have now got one of the laptops to investigate further.

    Ill post any findings when they have got back to me.

    Carol

    :47291