Uninfected md5.exe quarantined by Sophos

Hello Steve,

although the article for Mal/EncPk-NS doesn't tell you you should send a sample (please see also how to do it). I did this for several false positives.

BTW: I heard the upcoming release will have improvements in this area.

HTH

Christian

Hi Steve,

Exactly as Christian mentioned you will need to send a sample of this file to the Labs here at Sophos. They will then be able to double-check the file is clean and release an IDE to fix the detection for it.

The IDE will then be downloaded via the normal update mechanisms and resolve the detection issue on any/all of your machines.

I recommend using the form:

https://secure.sophos.com/support/samples

You may find that the file gets blocked when trying to upload it, in which case you will need to disable your on-access scanner while you do so.

Regards,

Andy

Sophos Technical Support

P.S. Items detected as a PUA (Potentially Unwanted Application), SUS or HIPS are the only ones that can be authorised.

I've submitted the file to Sophos, but I think it had already been removed from your scans. 

A VirusTotal.com report as of 4 March 2010 showed Sophos and Comodo and Rising as the only 3 of 42 Antivirus engines that thought this md5 utility is a virus.  I had VirusTotal rescan the file and now only Comodo (with an old virus database) has it on it's list.  Everyone else (including Sophos) has it as benign.

Now how do I get my file out of quarantine?

I used the "right click scan" to have Sophos re-scan the md5.exe file, but it's still in the quarantine list (the scan comes back clean now). 

There doesn't seem to be any way to authorize or otherwise get a file out of quarantine.  What are we supposed to do when Sophos makes a mistake like this and quarantines something but then realizes the file is OK?

Why doesn't a re-scan of the file Sophos is complaining about "set it free" and remove the quarantine status?

The one thing I have NOT done is to tell the Quarantine to "clean up" the file.  Usually "clean up" means delete / move to secure location where I'll never see it again. 

If I hit "clean up" on it's name in quarantine, will that remove it from the list without affecting the file itself (now that Sophos has figured out it's a OK file)?

Thanks for the prompt replies and helpful information.  But I'm still stuck with a "good" file on the quarantine list.

I'm still figuring out how to get along with Sophos.  I'm glad we switched from Symantec, and I'm not that concerned with this one file, but I want to know what to do if some part of a vertical market application has several files get quarantined on each of 50 machines. I want to know how I'll clean up the mess because it will happen sooner or later.

Steve

Hi Steve,

The fix for that sample was published in:

fake-aye.ide
Tue, 09 Mar 2010 18:08:59

Once your machines have updated with this IDE the item will be automatically removed from the quarantine manger. If for some reason it's not, please use the 'clear from list' option within the quarantine manager

Regards,

Andy

Sophos Technical Support

I've waited for a couple of nightly scans / cycles to go by and the file is still on the quarantine list, but not apparently "in quarantine" since I can execute and copy the file, etc. and Sophos doesn't complain or stop me.

Since md5.exe is still showing up in the quarantine list, I was interested in the "Clear from list" option you mentioned, but on our 7.6.17 version, the only option in my list is "Clean Up" which I think does a lot more than remove it from the list.  I think that moves the file to quarantine and deletes it from it's current location _and_ removes it from the list.

Is the "clear from list" an option that needs to be enabled from the Enterprise Administrator Console? I took a quick look around in the console and didn't see any such option, but I didn't set Sophos up here and am not that familiar with where to look, etc.

Again, I'm not as concerned about this one file, but I'm more concerned about getting a false positive on some vertical market application or utility that we have on 50 to 100 computers that suddenly has a few files get flagged and quarantined by Sophos.  The first problem is we're pretty much screwed while that false positive remains uncorrected by Sophos, but that's a separate issue (the problem to me is that this is an uninfected program, it should never have been flagged).

The other problem is what I'm trying to use this md5.exe file as an example to figure out. 

If I hit the "Clean Up" button on my computer only one file (md5.exe) goes away that I've got a backup for so that's not a big problem. 

The problem I'm concerned about is if this happens on 50+ computers I've got a bigger problem. I'm looking for a way to fix this problem without it turning into a big chore.

Is this something that I should be trying to fix from the Enterprise Console?  Is the "Clear from list" option there? 

Is there a way to "clear" a false positive _before_ Sophos corrects the virus signature files?  I.E. Can I override the signature file for a particular file from the console, or am I just out of luck until Sophos updates the signature file?

Thanks.

Steve

Hi Steve,

You should note that the quarantine manager in Sophos is not a physical place, it is more a list of items that have been found. In SAV7 this list is not dynamic, in SAV9 it's much smarter, SAV9.5 (currently in beta - see our website for more details)  can do remote lookups to Sophos to double-check file status and as per your example; automatically remove detection in the event of a false-pos.

The "clear from list" option is in the quarantine manager, below the items detected, next to the select all/deselect all buttons. In your EM Console you can clear the items by acknowledging them, again in SAV9 this is considerably easier due to the better synchronisation between the two.

Files that are submitted to the labs are often added to a our huge database of files for feature false-pos testing.

Regards,

Andy

P.S.

It is free to upgrade to EM Console 4 and SAV9 if you have an active licence.