This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

infected shadow copy on domain controller

I have sophos endpoint protection with intercept X and I got an email that I got an infected pagefile.sys in volume shadow copy 4 and 5 (might be another one I forgot)

Path: \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\pagefile.sys

What was detected: Troj/Badsrc-M

User associated with device: n/a

How severe it is: High

What Sophos has done so far: We attempted to clean up (unless the threat is on a Linux computer).

What you need to do: In the Sophos Central Admin console, go to the Alerts page and find the threat alert. Click on the threat name to see details and cleanup advice on the Sophos website. Then go to the affected computer and clean up the threat manually.

Path: \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\pagefile.sys

What was detected: Troj/Badsrc-M

User associated with device: n/a

How severe it is: High

What Sophos has done so far: We attempted to clean up (unless the threat is on a Linux computer).

What you need to do: In the Sophos Central Admin console, go to the Alerts page and find the threat alert. Click on the threat name to see details and cleanup advice on the Sophos website. Then go to the affected computer and clean up the threat manually.

I checked rightclick c:\ configure shadow copies however they are disabled

Also on the internet I found a command to delete them however it didnt't find anything

Also tried clearing page file at shutdown 

Any ideas ?



This thread was automatically locked due to age.
Parents Reply Children