Reply
Visitor
MarcoSoli
Posts: 1
Registered: ‎Thu 05-Jan-2012
0

W32/Small.CA

Hello

 

in our enterprse we work with SEC5 and Enpoint 10.0.2, on Win7 enterprise 64b

 

Recently we got several workplaces where we get the message from Windows ActionCenter, that a (well known) virus was found and must be removed. This is called W32/Small.CA.

 

Question is now, why does Sophos not detect this threat ? When doing a full system scan, nothing is found.

 

Best regards

Marco

Executive VIP
QC
Posts: 4,525
Registered: ‎Mon 23-Nov-2009

Re: W32/Small.CA

Hello Marco,

 

Question is now, why does Sophos not detect this threat?

Did the ActionCenter tell you where it has been found? Microsoft's Threat Encyclopedia doesn't tell what distinguishes this particular detection. As you have probably seen "the Internet" either refers to W32.Small.R (which is "mapped by" Sophos' W32/SillyFDC-H) or to "the usual tools". I haven't seen a real resolution.

 

Anyway, you should give SMaRT a try - it will eventually tell you how to collect some information and submit this to Support for investigation.

 

Christian

P.S.: I won't rule out that this is a false positive

Occasional Advisor
5190097071
Posts: 5
Registered: ‎Wed 08-Feb-2012
0

Re: W32/Small.CA

Hello,

 

are there any news about this Topic?

We have exactly the same issue, Windows Action Center is telling us about this Virius detection, but a full Scan with Sophos AV is ending up without any detections.

 

Its a fales positive of Windows?

 

best regards

Frank-Michael

Executive VIP
QC
Posts: 4,525
Registered: ‎Mon 23-Nov-2009
0

Re: W32/Small.CA

Hello Frank-Michael,

 

same question: Do you have an idea where the threat is detected? I assume you are running Windows Defender (WAC is not a scanner, just the messenger). Defender logs (AFAIK) to the System and Application event logs and %ProgramData%\Microsoft\Windows Defender\Support.

Without a sample no AV vendor can tell whether it's a false positive or not - and if it is, no vendor other than Microsoft can fix it. And without a "working sample" (i.e. one that triggers reliably the alert) or the responsible party's statement no one else will be able to tell you that it has been fixed.

 

Christian

Visitor
McMiles
Posts: 1
Registered: ‎Wed 25-Apr-2012
0

Re: W32/Small.CA

We are seeing the same exact issue.  They are running through the smart guide to see if it picks anything up right now.  Doing some research elsewhere on the internet says that this is a real threat to windows, but most AVs aren't picking it up. 

Occasional Visitor
S_Hasslinger
Posts: 2
Registered: ‎Mon 07-May-2012
0

Re: W32/Small.CA

Hi,

 

we also get those error message on some Win7 x64 Ent. Clients.

Any Link from the Action Center is guided to Microsoft Sites or Microsoft Partner Sites where suggested Removal Tools from 3rd Party Vendors were reccommended.

 

None of the Links in the Action Center, or the Event Logs of the System, or any other "deeper" Log in the System provides any kind of information of the File which seems to be infected...

 

In my case, there is no way to send Sophos a File for the Labs to investigate, cause there is no File information :smileysad:

Occasional Visitor
S_Hasslinger
Posts: 2
Registered: ‎Mon 07-May-2012
0

Re: W32/Small.CA

I just got some update:

 

This is a possilbe Microsoft false positive which was widely reported. See here:

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-and-how-to-remove-win3...

 

 

Somebody wrote there:..

 

...I suggest you turn off Windows Defender for a day or 2 & then see if the "warning" goes away.

Press Windows-key
type in Windows Defender
select it and press Enter-key
Press the Tools icon
Press the Real-time protection on the left side.
Then UN-check the box "Use real-time protection"
Apply & exit applet

Tell us what results you get.

 

 

and.

 

...Thanks for your response.  Unfortunately, there is not much I can add.  The Windows Action Center reported, "Remove the Win32/Small.CA virus."  After going through all the steps you've read, I manually archived the message and there were no follow-up messages.  When I click on the archived message, there is no information other than an advisory to go online to learn about the solution.

 

 

Maybe someone sense this as useful...

Visitor
Tigerlily
Posts: 3
Registered: ‎Mon 15-Aug-2011
0

Re: W32/Small.CA

I too have found this Windows "Virus" warning and wondered what if anything to do about it.

 

We are home -users of Sophos with limited computing knowledge. So we find forums like this very helpful.

 

I did take a screen shot of the detail of the  Windows warning but I can't work out how to paste it here. Under the problem signature it gives the problem event name as APPCRASH and the fault module name as ntdll.dll

 

Is this any help?

 

 

 

Executive VIP
QC
Posts: 4,525
Registered: ‎Mon 23-Nov-2009
0

Re: W32/Small.CA

Hello Tigerlily,

 

please upload the screenshot to some sharing site and include the link here. And how is the APPCRASH related to W32/Small.CA? Any details you can remember of the sequence of events could be helpful.

 

Christian

Visitor
Tigerlily
Posts: 3
Registered: ‎Mon 15-Aug-2011
0

Re: W32/Small.CA

 

Thanks for the reply.

Have put the screenshot into DropBox - hope this is ok

 

https://www.dropbox.com/s/eeexs4iebxsdnv7/Windows%20Flag.jpg

 

This is what came up when I clicked on 'problem details'  in the Windows warning. (I only did this today even though the event was in February). So I don't know why Windows thinks this is related to a virus.

 

I can't recall any particular incident on the february date listed.  I have used Task Manager occasionally to end tasks that aren't responding - don't know if this is related.

 

Thanks for your help