Executive VIP
Posts: 5,023
Registered: ‎Mon 23-Nov-2009

Cleanup: Deny access and move to ...

While dealing with Mal/Generic-L, Sus/CFNBehav-A and sdra64.exe I noticed that the rootkit scan component put the sample in %ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\samples as samples.sar when I requested Move to default location as cleanup action. One would expect to find it in \INFECTED though (this is the path you see in the client UI) . Anyway it is an improvement as the archive does not trigger detection and it's easier to deal with - although one would wish the Send sample to be available from the console, as RRR has said in his(?) reply.


Thinking about Move I wonder - has anyone used a custom UNC path for Move to? IIRC at some time in the past there was an INFECTED folder on the InterChk share (but this setup predated SEC). Obviously you need an anonymously writable share, something you probably have a really bad feeling about. OTOH it would help in collecting samples but as they only get their extension changed they are still not easy to deal with - the archiving approach (also utilized by SDU) is better.

Is the INFECTED folder a relict or should the option to move the items to a UNC path be considered for collecting samples? If so - how should the server hosting this share be set up?