Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Metasploit downloaded and installed - nothing from Sophos endpoint

An admin downloaded and installed metasploit framework on a Linux Server with Intercept-X installed.

Nothing happened from the Sophos side.

I expected it to detect and alert at least a PUA we then need to whitelist.

As a further test I did a download of metasploit framework for windows on a windows machine. Sophos Firewall did not detect any threat. Further I did not install metasploit but did the right click scan with Sophos EP.

Nothing happened again.

I think it's strange that you allow a tool that can pentest your internal network without any notice.

Linux Server:

Windows EP:



This thread was automatically locked due to age.
Parents
  • Metasploit should be an entry under Application Control category: "Network monitoring / Vulnerability tool". So you should be able to block it there.

    If the definition no longer detects the file, you can submit it via: FileSubmission (sophos.com) so the data is updated.

    At least on Windows, when running the Metasploit installer, it attempts to drop Eicar.com under "C:\metasploit\apps\pro\data\eicar\" as a way to check you have excluded the directory from real-time scanning. So that should be detected as a minimum unless you have excluded the install directory?

    If I install the version found here:
    Downloads by Version | Metasploit Documentation Penetration Testing Software, Pen Testing Security
    with only a real-time exclusion, if i scan the directory I get plenty of detections....

    C:\metasploit\apps\pro\data\eicar\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
    C:\metasploit\apps\pro\data\exe_templates\template_x86_windows.exe belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\data\meterpreter\ext_server_pivot.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\data\meterpreter\ext_server_pivot.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\data\exe_templates\pro\template_x86_windows.exe belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\ui\config\build\installer\eicar\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\vncdll.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\vncdll.x86.dll belongs to virus/spyware 'Harmony Loader' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/AppletX.class belongs to virus/spyware 'Troj/ClsLdr-Gen' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/LoaderX.class belongs to virus/spyware 'Troj/ClsLdr-Gen' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2008-5499.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2009-3867.jar/AppletX.class belongs to virus/spyware 'Troj/Clsldr-U' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2009-3869.jar/AppletX.class belongs to virus/spyware 'Mal/JavaKC-M' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-1297.swf belongs to virus/spyware 'Troj/SWFDlr-V' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-0609.swf belongs to virus/spyware 'Troj/SWFExp-CC' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-0611.swf belongs to virus/spyware 'Exp/20110611-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-2110.swf belongs to virus/spyware 'Troj/SWFDlr-AS' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/Exploit.class belongs to virus/spyware 'Mal/Generic-S' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/Help.class belongs to virus/spyware 'Mal/ExpJava-W' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-0754.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-1723.jar belongs to virus/spyware 'Mal/ExpJava-N' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/Attacker.class belongs to virus/spyware 'Mal/JavaGen-D' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/ConfusingClassLoader.class belongs to virus/spyware 'Mal/JavaGen-D' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/Confuser.class belongs to virus/spyware 'Troj/JavaDl-NZ' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/msf/x/PayloadX$StreamConnector.class belongs to virus/spyware 'Mal/JavaKC-H' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2014-1761.rtf belongs to virus/spyware 'Exp/20141761-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\evasion_shellcode.js belongs to virus/spyware 'Troj/JSInj-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\hta_evasion.hta belongs to virus/spyware 'ATK/MSFEva-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\bypassuac-x64.exe belongs to virus/spyware 'Mal/Generic-R' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\bypassuac-x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\SharpHound.exe belongs to virus/spyware 'BloodHoundAD' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_armle_darwin.bin belongs to virus/spyware 'OSX/GetShell-J' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_ppc_darwin.bin belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_darwin.bin belongs to virus/spyware 'OSX/Getshell-E' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows.dll belongs to virus/spyware 'ATK/FatRat-J' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows_dccw_gdiplus.dll belongs to virus/spyware 'Troj/Meter-F' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows_mixed_mode.dll belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_darwin.bin belongs to virus/spyware 'OSX/Getshell-BA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows.dll belongs to virus/spyware 'ATK/FatRat-J' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows_mixed_mode.dll belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows_svc.exe belongs to virus/spyware 'Serv Inject' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\meterpreter.dex belongs to virus/spyware 'Android Metasploit' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x64.debug.dll belongs to virus/spyware 'Troj/Meterpre-J' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x86.debug.dll belongs to virus/spyware 'Troj/Meterpre-J' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x86.dll belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x64.debug.dll belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x64.dll belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_sniffer.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_sniffer.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\meterpreter.py belongs to virus/spyware 'ATK/Meter-V' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x86.debug.dll belongs to virus/spyware 'Mal/Behav-010' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x86.dll belongs to virus/spyware 'Mal/Behav-010' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x64.debug.dll belongs to virus/spyware 'Troj/Meterpre-I' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x64.dll belongs to virus/spyware 'Troj/Meterpre-I' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x86.debug.dll belongs to virus/spyware 'Troj/Meterpre-I' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x86.dll belongs to virus/spyware 'Troj/Meterpre-I' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$1$1.class belongs to virus/spyware 'Mal/JavaKC-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$1.class belongs to virus/spyware 'Mal/JavaKC-F' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$2.class belongs to virus/spyware 'Mal/JavaImr-C' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit.class belongs to virus/spyware 'Mal/JavaKC-P' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\PayloadClassLoader.class belongs to virus/spyware 'Mal/JavaCL-C' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-0232\kitrap0d.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-0842\MixerMidiApplet.class belongs to virus/spyware 'Mal/JavaMid-D' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-4452\AppletX.class belongs to virus/spyware 'Mal/JavaCL-C' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2011-3544\Exploit.class belongs to virus/spyware 'Troj/JavaDl-FO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-1535\Main.swf belongs to virus/spyware 'Exp/20121535-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-4681\Exploit.class belongs to virus/spyware 'Mal/JavaExpl-D' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2012-5076\Exploit.class belongs to virus/spyware 'Exp/20125076-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-0074\SilverApp1.dll belongs to virus/spyware 'Mal/Generic-R' 
    C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/cve-2013-0074/SilverApp1.xap/SilverApp1.dll belongs to virus/spyware 'Mal/Generic-R' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-0109\nvidia_nvsvc.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-1300\schlamperei.x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-2465\Exploit.class belongs to virus/spyware 'Exp/20132465-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-3660\ppr_flatten_rec.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-5045\CVE-2013-5045.dll belongs to virus/spyware 'Mal/Generic-R' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-5331\Exploit.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0257\CVE-2014-0257.dll belongs to virus/spyware 'Mal/Generic-R' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0322\AsXploit.swf belongs to virus/spyware 'Troj/SWFExp-DB' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0497\Vickers.swf belongs to virus/spyware 'Troj/SWFExp-CZ' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0515\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0556\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0569\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-4113\cve-2014-4113.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-4113\cve-2014-4113.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-8440\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0016\cve-2015-0016.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0311\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0313\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0336\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0359\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-1701\cve-2015-1701.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-1701\cve-2015-1701.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-2426\reflective_dll.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3090\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3105\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3113\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3673\exploit.daplug belongs to virus/spyware 'OSX/20153673-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-5119\msf.swf belongs to virus/spyware 'Troj/SWFExp-LD' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2016-0040\CVE-2016-0040.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2016-0051\cve-2016-0051.x86.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2016-0189\ieshell32.dll belongs to virus/spyware 'Troj/20160189-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2016-4655\exploit belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-0824\UnmarshalPwn.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-4237\ssudo belongs to virus/spyware 'OSX/Lotoor-C' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-8440\ALPC-TaskSched-LPE.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-8453\CVE-2018-8453.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2018-8897\reflective_dll.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2019-0808\exploit.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2019-1322\CVE-2019-1322-EXE.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2019-1458\exploit.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0787\CVE-2020-0787.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0787\CVE-2020-0787.x86.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0796\CVE-2020-0796.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1048\cve-2020-1048-exe.Win32.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1048\cve-2020-1048-exe.x64.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1054\exploit.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2020-1313\cve-2020-1313-exe.x64.exe belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-17136\cloudFilterEOP.exe belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2021-21551\CVE-2021-21551.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2021-40449\CVE-2021-40449.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-21882\CVE-2022-21882.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-26904\CVE-2022-26904.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-34918\ubuntu.elf belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\dell_protect\dell_protect.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\drunkpotato\drunkpotato.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\drunkpotato\drunkpotato.x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\juicypotato\juicypotato.x64.dll belongs to virus/spyware 'ATK/JPotato-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\juicypotato\juicypotato.x86.dll belongs to virus/spyware 'ATK/JPotato-B' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\ntapphelpcachecontrol\exploit.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\office_word_macro\vbaProject.bin belongs to virus/spyware 'ATK/FatRat-F' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\powershell\powerdump.ps1 belongs to virus/spyware 'ATK/Nishang-I' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\powershell\powerfun.ps1 belongs to virus/spyware 'ATK/PowerFun-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\rottenpotato\rottenpotato.x64.dll belongs to virus/spyware 'ATK/RPotato-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\rottenpotato\rottenpotato.x86.dll belongs to virus/spyware 'ATK/RPotato-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\tpwn\tpwn belongs to virus/spyware 'OSX/tpwn-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\uso_trigger\uso_trigger.x64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\uso_trigger\uso_trigger.x86.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\execute-dotnet-assembly\HostingCLRx64.dll belongs to virus/spyware 'Harmony Loader' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\powershell\SharpHound.ps1 belongs to virus/spyware 'BloodHoundAD' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\apk\AndroidManifest.xml belongs to virus/spyware 'Andr/Bckdr-RXK' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\apk\classes.dex belongs to virus/spyware 'Andr/Bckdr-RXM' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\java\metasploit\Payload.class belongs to virus/spyware 'ATK/JMeter-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle.sha1.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\sniffer belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle.sha1.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\sniffer belongs to virus/spyware 'iPh/Swrort-BA' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5b-linux-musleabi\bin\mettle belongs to virus/spyware 'Linux/Swrort-H' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5b-linux-musleabi\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5l-linux-musleabi\bin\mettle belongs to virus/spyware 'Linux/Swrort-H' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5l-linux-musleabi\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i486-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i486-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i686-w64-mingw32\bin\mettle.exe belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mips-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mips64-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mipsel-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-e500v2-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-e500v2-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-linux-muslsf\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc64le-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc64le-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\s390x-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-apple-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-apple-darwin\bin\sniffer belongs to virus/spyware 'OSX/Swrort-AX' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-w64-mingw32\bin\mettle.exe belongs to virus/spyware 'Mal/Generic-S' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderpingTemplate_x64.exe belongs to virus/spyware 'ATK/TurtleLd-Q' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderpingTemplate_x86.exe belongs to virus/spyware 'ATK/TurtleLd-Q' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderping_x64.exe belongs to virus/spyware 'ATK/Herpaderp-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderping_x86.exe belongs to virus/spyware 'ATK/Herpaderp-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0840\vuln\Exploit$1.class belongs to virus/spyware 'Mal/JavaKC-H' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0840\vuln\Exploit.class belongs to virus/spyware 'Mal/JavaKC-H' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\modules\exploits\windows\ftp\ftpshell_cli_bof.rb belongs to virus/spyware 'Exp/20187573-A' 
    C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-3906\word\media\image1.jpeg belongs to virus/spyware 'Exp/20133906-A' 

  • Thanks for your reply 930!

    Application control could be something we may consider about those pentesting tools. Do you know how thex work? Simply file names or hashes? That would be too easy to manipulate.

    On the linux server using metasploit after installation works without issues. Still nothing from Sophos EP.

    Eicar viruses have been placed on the disk with the installation of MS framework on the Linux machine.

    /opt/metasploit-framework/embedded/framework/data/eicar.com
    /opt/metasploit-framework/embedded/framework/data/eicar.txt
    /opt/metasploit-framework/embedded/framework/modules/encoders/generic/eicar.rb
    Looks like the Sophos agent for linux is only consuming CPU cycles, providing no AV features.
  • In terms of scanning, the Sophos Protection Linux agent currently only has on-demand scanning. The Runtime detection plugin works based off of the MITRE attack matrix in terms of reporting detections in Sophos Central. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • App Control to block specific apps is primarily data rules provided by Labs.  They are hopefully generic enough to detect v1, v2, v3, the installer and the apps but occasionally they require updates.  The form I linked to is the best bet to get the latest version updated in the rules.

    As for the Linux product, from the installer page there is reference to a Sophos Anti-Virus for Linux (Legacy) product which did have real-time scanning but is being retired.

    ==

    Server Protection

    Full malware protection and lockdown

    • Download Windows Server Installer
    • Download Linux Server Installer

    • Sophos Anti-Virus for Linux (Legacy) is not supported after 20 July 2023. Please see here for more details.

    ==

    The help says:
    "The Anti-Virus for Linux installer provides anti-virus protection. It doesn't provide the more advanced features of Linux XDR or Linux MTR. It's a legacy product. We recommend that you migrate your Linux servers and use the new Linux Server installer."
    It is my understanding that the new agent for Linux is getting a Safestore and real-time scanning but not sure.
  • I've read here a while ago that Linux XDR should get some extra features after Sophos aquired some Linux AV company.

    But it so silent around it, it looks someone at Sophos Mgmt even forgot that they have this product. The Sales guys of course count one XDR license for something that does provides 0 protection currently.

  • The Runtime detection plugin works based off of the MITRE attack matrix in terms of reporting detections in Sophos Central.

    can you please translate that? Should there be detections in Central Management?

  • Looks like it's in "Threat Analysis Center - Detections", If you use CIXA Server license without XDR, you can't see that section.  

  • Nothing is in Detections about it. Not even MDR Team discovered and reported that. Should'nt they rund frequent scans on all systems.

    You can see in a screenshot above, that XDR is installed (and licensed) on that box.

    That's low performance currently.

  • does this feature really do something?

    Can move eicar files around on the server without any issue. Nothing reported in central, though.

    root@Ubuntu2204LTS:~# cat /home/localuser/eicar.com
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    root@Ubuntu2204LTS:~# rm /home/localuser/eicar.com
    root@Ubuntu2204LTS:~# cp /opt/metasploit-framework/embedded/framework/data/eicar.com /home/localuser/
    root@Ubuntu2204LTS:~# ls -l /home/localuser/
    total 12
    -rwxr-xr-x 1 root root   68 Jan 31 14:23 eicar.com
    -rwxr-xr-x 1 root root 6034 Dec  6 08:41 msfinstall

  • Could you try the following steps to see if anything changes when moving around the eicar file?

    • Go to Policies - Threat Protection - Select the policy to change and select "Settings"
    • Page down to "Server Protection default settings" 
    • Un-check "Enable all Server Protection default features "
    • Page down to "Real-time scanning - Local files and network shares"
    • Check the box "Apply scan to Linux agent" and "Save" changes
    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi,

    On-access scanning works in the 2023.1 release of Sophos Protection for Linux which is currently halfway through its release cycle. I can see from the screenshot above that you are still on 2022.4 and are not yet updated.

    The final GA rollout for on-access is today (1st Feb) so you should be updated by tomorrow.

    The On-access scanning that is going out will alert to virus and eicar test detections once installed.

    We are also planning on rolling out the Safestore quarantine feature which will move any malware detections to the safestore DB. This feature requires new flags to be set and this will be enabled in stages starting next week and continuing for 3 weeks from then.

     thanks

    Rick

Reply
  • Hi,

    On-access scanning works in the 2023.1 release of Sophos Protection for Linux which is currently halfway through its release cycle. I can see from the screenshot above that you are still on 2022.4 and are not yet updated.

    The final GA rollout for on-access is today (1st Feb) so you should be updated by tomorrow.

    The On-access scanning that is going out will alert to virus and eicar test detections once installed.

    We are also planning on rolling out the Safestore quarantine feature which will move any malware detections to the safestore DB. This feature requires new flags to be set and this will be enabled in stages starting next week and continuing for 3 weeks from then.

     thanks

    Rick

Children
  • Hi Rick,

    thanks for your reply. The server was on 2023.01 yesterday already. Verified it today. Still eicar movement on the server is not detected. Real Time Scanning is not blocking anything. Just tried that.

    Regards

  •   I did that

    saved policy

    now it looks like:

    enabled RTS again and saved:

    cd /opt/metasploit-framework/embedded/framework/data/
    /opt/metasploit-framework/embedded/framework/data$ cp eicar.com /tmp/
    /opt/metasploit-framework/embedded/framework/data$ ls /tmp/eicar.com
    /tmp/eicar.com
    /opt/metasploit-framework/embedded/framework/data$ cat /tmp/eicar.com
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*/opt/metasploit-framework/embedded/framework/data$

    date
    Wed Feb  1 14:56:09 UTC 2023

    rm /tmp/eicar.com

  • Hi, I suspect it is the Central policy that needs to toggle on and save in the right order. I saved it off, then enabled it and saved again.

    Once it is enabled, it does not block or stop anything at this stage (that comes with Safestore), only reports an alert in the av log and in Central. 

  • will try that. Have not seen any alert from linux OS since.

  • so - a policy cannot be disabled - only settings within.

    So once more I disabled Real time scan, saved

    enabled Real time scan after some time, saved.

    agent should have that change applied


    cp /opt/metasploit-framework/embedded/framework/data/eicar.com /tmp/
    /opt/sophos-spl$ ls -ali /tmp/eicar.com
    130266 -rwxr-xr-x 1 localuser sudo 68 Feb  1 16:35 /tmp/eicar.com

    no event logged again in central - are there useful logs on the endpoint about real time detection?

  • When testing this, I was able to generate some detections when downloading the eicar files. Moving files from removable media also returned detection and cleanup events.

    Could you try downloading metasploit to see what happens this time?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I can download eicar without issues.

    wget -O eicar.com hxxxs.||secure.eicar.org/eicar.com
    --2023-02-02 08:11:26--  hxxxs.||secure.eicar.org/eicar.com
    Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
    Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
    Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 68
    Saving to: 'eicar.com'

    eicar.com             100%[======================>]      68  --.-KB/s    in 0s

    2023-02-02 08:11:27 (84.1 MB/s) - 'eicar.com' saved [68/68]




    wget -O eicar.com.zip hxxxs.||secure.eicar.org/eicar_com.zip
    --2023-02-02 08:12:38--  hxxxs.||secure.eicar.org/eicar_com.zip
    Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
    Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
    Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 184 [application/zip]
    Saving to: 'eicar.com.zip'

    eicar.com.zip         100%[======================>]     184  --.-KB/s    in 0s

    2023-02-02 08:12:39 (231 MB/s) - 'eicar.com.zip' saved [184/184]

  • Hi ,

    Lets first check that on-access is available and running on the system.

    you can use the systemctl status sophos-spl command to see the running processes and look out for the onaccess process:

               ├─ 1116 /opt/sophos-spl/plugins/av/sbin/soapd    

    Go to the AntiVirus log location and check for the on-access log

               /opt/sophos-spl/plugins/av/log/soapd.log

    check here for any alerts generated by opening an eicar file.

    If there are no alerts, please post the last 20 lines of the log.

    Or open a case and I can do some more thorough trouble shooting .

    Just to confirm one of my earlier points, there is nothing currently released to stop you opening detected files. At the moment on-access scanning will "only" report when there is a detection, it will not prevent anything or move any file.

    thanks

    Rick 

  • soapd is not running

    /opt/sophos-spl/plugins# systemctl status sophos-spl
    ● sophos-spl.service - Sophos Linux Protection
         Loaded: loaded (/lib/systemd/system/sophos-spl.service; enabled; vendor preset:>
         Active: active (running) since Tue 2023-01-31 14:16:12 UTC; 2 days ago
       Main PID: 728 (sophos_watchdog)
          Tasks: 113 (limit: 9256)
         Memory: 149.1M
            CPU: 4min 31.343s
         CGroup: /system.slice/sophos-spl.service
                 ├─ 728 /opt/sophos-spl/base/bin/sophos_watchdog
                 ├─ 814 /opt/sophos-spl/base/bin/CommsComponent
                 ├─ 820 /opt/sophos-spl/base/bin/sophos_managementagent
                 ├─ 827 /opt/sophos-spl/base/bin/sdu
                 ├─ 832 /opt/sophos-spl/base/bin/python3 -m mcsrouter.mcs_router --no-da>
                 ├─ 840 /opt/sophos-spl/base/bin/tscheduler
                 ├─ 843 /opt/sophos-spl/base/bin/UpdateScheduler
                 ├─ 847 /opt/sophos-spl/plugins/runtimedetections/bin/runtimedetections
                 ├─ 848 /opt/sophos-spl/base/bin/CommsComponent
                 ├─ 864 /opt/sophos-spl/plugins/eventjournaler/bin/eventjournaler
                 └─1002 runtimedetections-trigger

    So I guess soapd is the new module that is supposed to provide on-acces-scan? Is it not installed automatically when the agent upgrades to 2023.1? What would you suggest to get it running?

    The av/log/soapd.log does not exist. The folder or module "av" does not exist.

    /opt/sophos-spl/plugins# cd /opt/sophos-spl/plugins
    /opt/sophos-spl/plugins# ls -li
    total 8
    387205 drwx------ 7 sophos-spl-user sophos-spl-group 4096 Dec  6 07:52 eventjournaler
    387170 drwx------ 6 sophos-spl-user sophos-spl-group 4096 Dec  6 07:52 runtimedetections

  • Hi, 

    Once the component is updated, then the soapd process will run (whether on-access is enabled or not) so It looks like the component has not been fully updated.

    This will show the base version and confirm whether that has been updated.

    # /opt/sophos-spl/bin/version   

    PRODUCT_NAME = SPL-Base-Component
    PRODUCT_VERSION = 1.2.2.17
    BUILD_DATE = 2023-01-05

    or if not upgraded yet

    PRODUCT_NAME = SPL-Base-Component
    PRODUCT_VERSION = 1.2.1.3
    BUILD_DATE = 2022-10-18

    Check the av plugin:

    # more /opt/sophos-spl/plugins/av/VERSION.ini
    PRODUCT_NAME = SPL-Anti-Virus-Plugin
    PRODUCT_VERSION = 1.1.0.1644
    BUILD_DATE = 2023-01-06

    or if not upgraded

    # more /opt/sophos-spl/plugins/av/VERSION.ini
    PRODUCT_NAME = SPL-Anti-Virus-Plugin
    PRODUCT_VERSION = 1.0.8.12
    BUILD_DATE = 2022-10-17

    If it has upgraded and you do not see the process or logfiles then we need to investigate why not.

    If it has not been upgraded, then we should look at why it has not upgraded automatically. Perhaps try using "upgrade now" in Central.

    thanks

    Rick