Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 60318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA detected: 'SpiGot'

Berzerk

Hi

We have received multiple PUA's on 100 to 150 machines. The detected files are basically java script examples : after.js and background.js

please find the example : PUA detected: 'SpiGot' at 'C:\Users\k113899\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\lbpcfgdgiemlcaggjhjcinhblflmgdlj\2.2_0\after.js'

 

These detection's came in off business hours and today we might see more users with the same alert. 

 

So my question is did this alert triggered from Sophos end ?

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Amit Thakur,

    with 100 to 150 machines you're likely not referring to a Free Tool, aren't you?

    Anyway, you can see from the analysis that the detection has been updated on September 29th, it could be gung-ho or it could be right. The path suggests it's loaded as extension in Chrome. As it's classified as Potentially Unwanted Application it's up to you to decide whether it's actually unwanted or not.

    Christian

Reply
  • 0

    Hello Amit Thakur,

    with 100 to 150 machines you're likely not referring to a Free Tool, aren't you?

    Anyway, you can see from the analysis that the detection has been updated on September 29th, it could be gung-ho or it could be right. The path suggests it's loaded as extension in Chrome. As it's classified as Potentially Unwanted Application it's up to you to decide whether it's actually unwanted or not.

    Christian

Children
  • 0 in reply to QC

    No i'm not referring to a Free Tool here

     

    But also simply we can't ignore the alert as it is coming under Adware category. After the scheduled scan we can still see the PUA alert.

    Let us know apart from clearing it what else we can do to find it out how it came so sudden in more than 100+ machines or if any suggestions to proceed with regarding this PUA

     

    Thanks

  • 0 in reply to Berzerk

    Hello Amit Thakur,

    [disclaimer: I'm not Sophos]
    how it came so sudden
    as said, the detection has been amended over the weekend and might now be more "sensitive" and trigger on items that were already on the machines for some time but not considered as belonging to SpiGot. Or some extension (the one with 2.2_0) evolved (i.e. perhaps updated itself), is now resembling SpiGot and the updated detection is in response to this change.

    Christian 

  • 0 in reply to Berzerk

    I started getting these alerts over the weekend as well.  So far, I have determined at least some of them to be caused by a "Email Login Now" extension in Chrome.

    https://chrome.google.com/webstore/detail/login-email-now/peegdljcadadeiekblkbdgipoemgkkmi

    The extension is not needed so we have opted to let Sophos remove.

  • 0 in reply to QC

    This SpiGot after.js seems to be an epidemic as users upgrade to the new Chrome v69.x.  Hard to believe so many Extensions in the official Google Extension library are infected.  Are we sure this isn't a false warning.

    And no we're not using the Free Tool - Sophos Endpoint w/ Intercept and Central.

     

    Found this thread via Google search.  Need some answers from Sophos!

     

    The folder/files go away easy enough when you remove the extension in Chrome (Settings --> Extensions) but it's a pain for an overworked admin to respond to all these dang warnings!

Unfiltered HTML