Mon 19-Mar-2012 10:14
in our enterprse we work with SEC5 and Enpoint 10.0.2, on Win7 enterprise 64b
Recently we got several workplaces where we get the message from Windows ActionCenter, that a (well known) virus was found and must be removed. This is called W32/Small.CA.
Question is now, why does Sophos not detect this threat ? When doing a full system scan, nothing is found.
Mon 19-Mar-2012 11:49
Question is now, why does Sophos not detect this threat?
Did the ActionCenter tell you where it has been found? Microsoft's Threat Encyclopedia doesn't tell what distinguishes this particular detection. As you have probably seen "the Internet" either refers to W32.Small.R (which is "mapped by" Sophos' W32/SillyFDC-H) or to "the usual tools". I haven't seen a real resolution.
Anyway, you should give SMaRT a try - it will eventually tell you how to collect some information and submit this to Support for investigation.
P.S.: I won't rule out that this is a false positive
Thu 22-Mar-2012 11:10
are there any news about this Topic?
We have exactly the same issue, Windows Action Center is telling us about this Virius detection, but a full Scan with Sophos AV is ending up without any detections.
Its a fales positive of Windows?
Thu 22-Mar-2012 11:45
same question: Do you have an idea where the threat is detected? I assume you are running Windows Defender (WAC is not a scanner, just the messenger). Defender logs (AFAIK) to the System and Application event logs and %ProgramData%\Microsoft\Windows Defender\Support.
Without a sample no AV vendor can tell whether it's a false positive or not - and if it is, no vendor other than Microsoft can fix it. And without a "working sample" (i.e. one that triggers reliably the alert) or the responsible party's statement no one else will be able to tell you that it has been fixed.
Wed 25-Apr-2012 21:51
We are seeing the same exact issue. They are running through the smart guide to see if it picks anything up right now. Doing some research elsewhere on the internet says that this is a real threat to windows, but most AVs aren't picking it up.
Mon 07-May-2012 15:19
we also get those error message on some Win7 x64 Ent. Clients.
Any Link from the Action Center is guided to Microsoft Sites or Microsoft Partner Sites where suggested Removal Tools from 3rd Party Vendors were reccommended.
None of the Links in the Action Center, or the Event Logs of the System, or any other "deeper" Log in the System provides any kind of information of the File which seems to be infected...
In my case, there is no way to send Sophos a File for the Labs to investigate, cause there is no File information
Mon 07-May-2012 15:31
I just got some update:
This is a possilbe Microsoft false positive which was widely reported. See here:
Somebody wrote there:..
...I suggest you turn off Windows Defender for a day or 2 & then see if the "warning" goes away.
type in Windows Defender
select it and press Enter-key
Press the Tools icon
Press the Real-time protection on the left side.
Then UN-check the box "Use real-time protection"
Apply & exit applet
Tell us what results you get.
...Thanks for your response. Unfortunately, there is not much I can add. The Windows Action Center reported, "Remove the Win32/Small.CA virus." After going through all the steps you've read, I manually archived the message and there were no follow-up messages. When I click on the archived message, there is no information other than an advisory to go online to learn about the solution.
Maybe someone sense this as useful...
Thu 13-Jun-2013 11:37
I too have found this Windows "Virus" warning and wondered what if anything to do about it.
We are home -users of Sophos with limited computing knowledge. So we find forums like this very helpful.
I did take a screen shot of the detail of the Windows warning but I can't work out how to paste it here. Under the problem signature it gives the problem event name as APPCRASH and the fault module name as ntdll.dll
Is this any help?
Thu 13-Jun-2013 12:21
please upload the screenshot to some sharing site and include the link here. And how is the APPCRASH related to W32/Small.CA? Any details you can remember of the sequence of events could be helpful.
Thu 13-Jun-2013 13:01
Thanks for the reply.
Have put the screenshot into DropBox - hope this is ok
This is what came up when I clicked on 'problem details' in the Windows warning. (I only did this today even though the event was in February). So I don't know why Windows thinks this is related to a virus.
I can't recall any particular incident on the february date listed. I have used Task Manager occasionally to end tasks that aren't responding - don't know if this is related.
Thanks for your help