Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 15390 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninfected md5.exe quarantined by Sophos

swhalen

Sophos Anit-Virus 7.6.17 installed here at work has quarantined my md5.exe utility as being part of something called Mal/EncPk-NS. 

I'm glad we got rid of Norton for Sophos, but if Sophos is so sloppy you brand every utility someone uses in their malware / virus kit as a program that needs to be quarantined, then something is wrong at Sophos.

I've verified that the md5.exe is itself not infected, but Sophos will not let me OK the file and let it out of quarantine.

If Sophos is going to blacklist every good program some idiot includes in a malware kit, then Sophos is going to become useless.

At least let me "authorize" it.

Help!

Steve

:1769


This thread was automatically locked due to age.
Parents
  • 0

    I've waited for a couple of nightly scans / cycles to go by and the file is still on the quarantine list, but not apparently "in quarantine" since I can execute and copy the file, etc. and Sophos doesn't complain or stop me.

    Since md5.exe is still showing up in the quarantine list, I was interested in the "Clear from list" option you mentioned, but on our 7.6.17 version, the only option in my list is "Clean Up" which I think does a lot more than remove it from the list.  I think that moves the file to quarantine and deletes it from it's current location _and_ removes it from the list.

    Is the "clear from list" an option that needs to be enabled from the Enterprise Administrator Console? I took a quick look around in the console and didn't see any such option, but I didn't set Sophos up here and am not that familiar with where to look, etc.

    Again, I'm not as concerned about this one file, but I'm more concerned about getting a false positive on some vertical market application or utility that we have on 50 to 100 computers that suddenly has a few files get flagged and quarantined by Sophos.  The first problem is we're pretty much screwed while that false positive remains uncorrected by Sophos, but that's a separate issue (the problem to me is that this is an uninfected program, it should never have been flagged).

    The other problem is what I'm trying to use this md5.exe file as an example to figure out. 

    If I hit the "Clean Up" button on my computer only one file (md5.exe) goes away that I've got a backup for so that's not a big problem. 

    The problem I'm concerned about is if this happens on 50+ computers I've got a bigger problem. I'm looking for a way to fix this problem without it turning into a big chore.

    Is this something that I should be trying to fix from the Enterprise Console?  Is the "Clear from list" option there? 

    Is there a way to "clear" a false positive _before_ Sophos corrects the virus signature files?  I.E. Can I override the signature file for a particular file from the console, or am I just out of luck until Sophos updates the signature file?

    Thanks.

    Steve

    :1847
Reply
  • 0

    I've waited for a couple of nightly scans / cycles to go by and the file is still on the quarantine list, but not apparently "in quarantine" since I can execute and copy the file, etc. and Sophos doesn't complain or stop me.

    Since md5.exe is still showing up in the quarantine list, I was interested in the "Clear from list" option you mentioned, but on our 7.6.17 version, the only option in my list is "Clean Up" which I think does a lot more than remove it from the list.  I think that moves the file to quarantine and deletes it from it's current location _and_ removes it from the list.

    Is the "clear from list" an option that needs to be enabled from the Enterprise Administrator Console? I took a quick look around in the console and didn't see any such option, but I didn't set Sophos up here and am not that familiar with where to look, etc.

    Again, I'm not as concerned about this one file, but I'm more concerned about getting a false positive on some vertical market application or utility that we have on 50 to 100 computers that suddenly has a few files get flagged and quarantined by Sophos.  The first problem is we're pretty much screwed while that false positive remains uncorrected by Sophos, but that's a separate issue (the problem to me is that this is an uninfected program, it should never have been flagged).

    The other problem is what I'm trying to use this md5.exe file as an example to figure out. 

    If I hit the "Clean Up" button on my computer only one file (md5.exe) goes away that I've got a backup for so that's not a big problem. 

    The problem I'm concerned about is if this happens on 50+ computers I've got a bigger problem. I'm looking for a way to fix this problem without it turning into a big chore.

    Is this something that I should be trying to fix from the Enterprise Console?  Is the "Clear from list" option there? 

    Is there a way to "clear" a false positive _before_ Sophos corrects the virus signature files?  I.E. Can I override the signature file for a particular file from the console, or am I just out of luck until Sophos updates the signature file?

    Thanks.

    Steve

    :1847
Children
No Data
Unfiltered HTML