This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware cleaned up: 'ML/PE-A' - Central Event Details link shows Status = Whitelisted

A colleague downloaded an msi from TechNet yesterday - ConfigMgr Task Sequence Monitor. This appears to be a System Center tool. During install it triggered a Sophos detection and cleanup event in Central:

Malware cleaned up: 'ML/PE-A' at 'C:\Program Files (x86)\SMSAgent\ConfigMgr Task Sequence Monitor\ConfigMgr_TS_Monitor.exe'
Malware detected: 'ML/PE-A' at 'C:\Program Files (x86)\SMSAgent\ConfigMgr Task Sequence Monitor\ConfigMgr_TS_Monitor.exe'

If I click the Details link next to the "Cleaned Up" event in Central it pops up a gui that shows the Status of this executable as "Whitelisted". I haven't whitelisted this EXE and a check of my allowed applications in Central confirms this. Is the Whitelisted status false or has Sophos added this EXE to their Global Allowed Applications list, how can I tell?

If I run the EXE through virustotal is comes back as clean for SophosAV & SophosML, 13 other engines see this as malicious! Is the SophosML engine on VirusTotal a good place to test files like this after the event logged in Central?

The SHA 256 is a21713eb0eed0f06c9025baf69b18cecbd53cd81b94982948b800a0bbf942fff

The EXE file hasn't been removed and is still showing in the directory on the client.



This thread was automatically locked due to age.
Parents Reply
  • H Gowtham,
    Thanks for the info, it's reassuring to know that this was a false positive.

    However, I dont understand the sequence of these alerts, maybe you can help? It seems the Detection & Cleanup alerts were triggered before the Sophos maintained Global allowed list was consulted. The user also confirms seeing alerts on the workstation itself when the EXE was originally run. Shouldn't the Allowed Applications list (local and Global) be consulted before these alerts trigger?


No Data