PUA detected: 'SpiGot'

Hello Amit Thakur,

with 100 to 150 machines you're likely not referring to a Free Tool, aren't you?

Anyway, you can see from the analysis that the detection has been updated on September 29th, it could be gung-ho or it could be right. The path suggests it's loaded as extension in Chrome. As it's classified as Potentially Unwanted Application it's up to you to decide whether it's actually unwanted or not.

Christian

No i'm not referring to a Free Tool here

But also simply we can't ignore the alert as it is coming under Adware category. After the scheduled scan we can still see the PUA alert.

Let us know apart from clearing it what else we can do to find it out how it came so sudden in more than 100+ machines or if any suggestions to proceed with regarding this PUA

Thanks

Hello Amit Thakur,

[disclaimer: I'm not Sophos]
how it came so sudden
as said, the detection has been amended over the weekend and might now be more "sensitive" and trigger on items that were already on the machines for some time but not considered as belonging to SpiGot. Or some extension (the one with 2.2_0) evolved (i.e. perhaps updated itself), is now resembling SpiGot and the updated detection is in response to this change.

Christian 

Hi Amit Thakur,

Could you help me with the Sophos product that you are using?

As already mentioned, there was a new definition update pushed on 29th Sep for a similar/same file (You can verify the file from the VirusTotal link). This new definition classifies the file as PUA, which could have resulted in multiple detections over the endpoints. Sophos Clean should have been able to clear it

I started getting these alerts over the weekend as well.  So far, I have determined at least some of them to be caused by a "Email Login Now" extension in Chrome.

https://chrome.google.com/webstore/detail/login-email-now/peegdljcadadeiekblkbdgipoemgkkmi

The extension is not needed so we have opted to let Sophos remove.

Hi ,

We are using 

Endpoint Advanced Protection

Intercept X

when checked manually the file was not their on users machine. Could you provide more detailed info on the new definition released and for which product ?

Hello Amit Thakur,

[I'm not Sophos]
more detailed info
what kind of details would you need? As it is a PUA detection it has been made by the Endpoint component. PUA detections aim to identify a certain application by specific distinct characteristics, details would be too technical to be of use. The same definitions are used for all products.

not there on users machine
what happened after the detection depends on the type of scan. PUAs can be removed with scheduled scans, On-Access scanning only blocks them. The machine's Anti-Virus log (SAV.txt) should tell what action has been performed.

Christian

Hi Amit Thakur,

I would suggest you to open a case with our support for further details on the definition that was updated and to confirm if the new definitions caused these detections.

Seeing the exact same behavior, seems to have began yesterday. 

HI Mani,

1. If suppose any updates are being pushed from Sophos end that caused this alert so why not it is coming in other environment where we are using Sophos or why still the alerts are with limited numbers because we are supporting 7000+ machines in client environment but only 150 machines showed this PUA. So did the next update from Sophos have stopped this adware from spreading. if yes than how the updates work in Sophos?

2. If the updates have been pushed will it going to differ for both Intercept X for servers & Windows?

3. Do we have any article stating from Sophos that the PUA alert 'SpiGot' is a false positive?

Kindly, help me here to find the answers for the above queries

Thanks