File detected as malicious after weeks

Hi all,

Just wondering if anyone can give me some info on what might have happened here:

Two users download a .zip email attachment, browse contents and decide that since it is an unexpected attachment from an unknown email, they will just ignore it.
The file remains in the Downloads folder of there devices for nearly 2 weeks until one day Sophos decides it is malicious and alerts us to it.
The malware was detected, so I triggered a scan of the devices and spoke to the users about the file.
On the first device it took 57 minutes for the malware to be cleaned up by Sophos and on the second device it took 1 hour and 50 minutes! During this time the file remained accessible in the Downloads folder

My main concerns are:

  1. Why might the file have been on the devices for so long without being detected as malware and what could have made Sophos suddenly decide it was malicious?
  2. Why did it take so long for Sophos to clean up the malware and should it not have quarantined the file until it was cleaned up?
  • This question gets into a lot of things. One of the fundamental elements of the Sophos Endpoint protection suite is the idea of Defence in Depth. In other words, there are multiple filters (or sieves) where we detect and block malicious software/action. 

    If you have on-access scanning enabled in your policy, then the primary sieve is when someone goes to action it - in this case it would be extraction of the archive file. The scanner would intercept, scan, and make a determination of what to do. 

    We also have a background scanner that walks the machine (as a lower priority process) to scan things as they are written or on a scheduled scan basis. 

    This structure is to allow for a balance between security posture and endpoint performance.

    Now, into the specifics of when this particular file wasn't detected until X time - I can't really answer that without logs from the machine. However, if you have the on-access scanner turned on then I would stipulate that you don't really need to worry about it since the files weren't executed they were never an active threat to the system. If they had been, the scanner would have intercepted and blocked. If you don't have on-access enabled - turn it on!

    Does that answer your questions? 


    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.