This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA detected: 'SpiGot'

Hi

We have received multiple PUA's on 100 to 150 machines. The detected files are basically java script examples : after.js and background.js

please find the example : PUA detected: 'SpiGot' at 'C:\Users\k113899\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\lbpcfgdgiemlcaggjhjcinhblflmgdlj\2.2_0\after.js'

 

These detection's came in off business hours and today we might see more users with the same alert. 

 

So my question is did this alert triggered from Sophos end ?

 



This thread was automatically locked due to age.
Parents
  • Hi Amit Thakur,

    Could you help me with the Sophos product that you are using?

    As already mentioned, there was a new definition update pushed on 29th Sep for a similar/same file (You can verify the file from the VirusTotal link). This new definition classifies the file as PUA, which could have resulted in multiple detections over the endpoints. Sophos Clean should have been able to clear it

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • HI Mani,

     

    1. If suppose any updates are being pushed from Sophos end that caused this alert so why not it is coming in other environment where we are using Sophos or why still the alerts are with limited numbers because we are supporting 7000+ machines in client environment but only 150 machines showed this PUA. So did the next update from Sophos have stopped this adware from spreading. if yes than how the updates work in Sophos?

    2. If the updates have been pushed will it going to differ for both Intercept X for servers & Windows?

    3. Do we have any article stating from Sophos that the PUA alert 'SpiGot' is a false positive?

     

    Kindly, help me here to find the answers for the above queries

    Thanks

  • Hi Amit Thakur,

    We have not yet concluded if these detections are caused by the latest Definitions (It is just one of the possibilities). Also, even if the definitions are causing the detections unless all the clients have the exact same file (With Same Hash) we necessarily not see the detection on all the endpoints.

    The level of protection will be the same for Server and endpoints, the definitions should detect the threats irrespective of the server or client.

    As mentioned earlier it would be better if have a support ticket open to investigating it. If you believe it could be a false positive, we can have it investigated.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello participants,

    please note:
    If you believe it could be a false positive
    a sample of the file(s) that triggered a supposedly incorrect detection is required - names, paths, number and time of incidents are not sufficient.

    Christian

  • I submitted the sample to Sophos and waiting for response. This could be false positive as even we see lot of deetctions from two days.

  • Please do let me know what Sophos have to say about the file

  • Hello Amit Thakur,

    the file
    that Ravi Chandra sent in (assuming the files are identical on all endpoints) isn't necessarily the one (same assumption) that has been found on your endpoints. Whatever Sophos has to say might or it might not apply to your situation.

    Christian

  • I have many PC's also detecting this it is either coming from after.js or background.js

    AppData\Local\Google\Chrome\User Data\Default\Extensions\dhleoaffpledanfnonifcgfgabmkgepp\2.1_0\after.js

    AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dchmajdpafbhfjocfoofjlglgpbolalj\2.0_0\background.js

Reply
  • I have many PC's also detecting this it is either coming from after.js or background.js

    AppData\Local\Google\Chrome\User Data\Default\Extensions\dhleoaffpledanfnonifcgfgabmkgepp\2.1_0\after.js

    AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dchmajdpafbhfjocfoofjlglgpbolalj\2.0_0\background.js

Children
No Data