This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Metasploit downloaded and installed - nothing from Sophos endpoint

An admin downloaded and installed metasploit framework on a Linux Server with Intercept-X installed.

Nothing happened from the Sophos side.

I expected it to detect and alert at least a PUA we then need to whitelist.

As a further test I did a download of metasploit framework for windows on a windows machine. Sophos Firewall did not detect any threat. Further I did not install metasploit but did the right click scan with Sophos EP.

Nothing happened again.

I think it's strange that you allow a tool that can pentest your internal network without any notice.

Linux Server:

Windows EP:

This thread was automatically locked due to age.

Top Replies

LHerzog 7 months ago in reply to LHerzog +2 verified

whoever may find this: The issue that the AV plugin was not installed automatically was caused by our server update base policy in central. we have enabled a day and time for updates.This causes a bug…

Parents

0 Sophos User930 11 months ago

Metasploit should be an entry under Application Control category: "Network monitoring / Vulnerability tool". So you should be able to block it there.

If the definition no longer detects the file, you can submit it via: FileSubmission (sophos.com) so the data is updated.

At least on Windows, when running the Metasploit installer, it attempts to drop Eicar.com under "C:\metasploit\apps\pro\data\eicar\" as a way to check you have excluded the directory from real-time scanning. So that should be detected as a minimum unless you have excluded the install directory?

If I install the version found here:
Downloads by Version | Metasploit Documentation Penetration Testing Software, Pen Testing Security
with only a real-time exclusion, if i scan the directory I get plenty of detections....

C:\metasploit\apps\pro\data\eicar\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
C:\metasploit\apps\pro\data\exe_templates\template_x86_windows.exe belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\data\meterpreter\ext_server_pivot.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\data\meterpreter\ext_server_pivot.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\data\exe_templates\pro\template_x86_windows.exe belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\ui\config\build\installer\eicar\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\eicar.com belongs to virus/spyware 'EICAR-AV-Test' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\vncdll.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\vncdll.x86.dll belongs to virus/spyware 'Harmony Loader' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/AppletX.class belongs to virus/spyware 'Troj/ClsLdr-Gen' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/LoaderX.class belongs to virus/spyware 'Troj/ClsLdr-Gen' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2008-5353.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2008-5499.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2009-3867.jar/AppletX.class belongs to virus/spyware 'Troj/Clsldr-U' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2009-3869.jar/AppletX.class belongs to virus/spyware 'Mal/JavaKC-M' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-1297.swf belongs to virus/spyware 'Troj/SWFDlr-V' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-0609.swf belongs to virus/spyware 'Troj/SWFExp-CC' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-0611.swf belongs to virus/spyware 'Exp/20110611-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2011-2110.swf belongs to virus/spyware 'Troj/SWFDlr-AS' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/Exploit.class belongs to virus/spyware 'Mal/Generic-S' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-0507.jar/msf/x/Help.class belongs to virus/spyware 'Mal/ExpJava-W' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-0754.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-1723.jar belongs to virus/spyware 'Mal/ExpJava-N' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/Attacker.class belongs to virus/spyware 'Mal/JavaGen-D' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/ConfusingClassLoader.class belongs to virus/spyware 'Mal/JavaGen-D' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/cve1723/Confuser.class belongs to virus/spyware 'Troj/JavaDl-NZ' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/msf/x/PayloadX$StreamConnector.class belongs to virus/spyware 'Mal/JavaKC-H' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/CVE-2012-1723.jar/msf/x/PayloadX.class belongs to virus/spyware 'Mal/JavaKC-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2014-1761.rtf belongs to virus/spyware 'Exp/20141761-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\evasion_shellcode.js belongs to virus/spyware 'Troj/JSInj-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\hta_evasion.hta belongs to virus/spyware 'ATK/MSFEva-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\bypassuac-x64.exe belongs to virus/spyware 'Mal/Generic-R' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\bypassuac-x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\SharpHound.exe belongs to virus/spyware 'BloodHoundAD' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_armle_darwin.bin belongs to virus/spyware 'OSX/GetShell-J' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_ppc_darwin.bin belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_darwin.bin belongs to virus/spyware 'OSX/Getshell-E' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows.dll belongs to virus/spyware 'ATK/FatRat-J' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows_dccw_gdiplus.dll belongs to virus/spyware 'Troj/Meter-F' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x64_windows_mixed_mode.dll belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_darwin.bin belongs to virus/spyware 'OSX/Getshell-BA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows.dll belongs to virus/spyware 'ATK/FatRat-J' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows_mixed_mode.dll belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\templates\template_x86_windows_svc.exe belongs to virus/spyware 'Serv Inject' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\meterpreter.dex belongs to virus/spyware 'Android Metasploit' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x64.debug.dll belongs to virus/spyware 'Troj/Meterpre-J' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x86.debug.dll belongs to virus/spyware 'Troj/Meterpre-J' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\elevator.x86.dll belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_bofloader.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_espia.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_extapi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_incognito.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x64.debug.dll belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x64.dll belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_kiwi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_lanattacks.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_peinjector.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_powershell.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_priv.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_python.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_sniffer.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_sniffer.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_stdapi.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_unhook.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x86.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\ext_server_winpmem.x86.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\meterpreter.py belongs to virus/spyware 'ATK/Meter-V' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x64.debug.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x64.dll belongs to virus/spyware 'Generic Reputation PUA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x86.debug.dll belongs to virus/spyware 'Mal/Behav-010' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\metsrv.x86.dll belongs to virus/spyware 'Mal/Behav-010' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x64.debug.dll belongs to virus/spyware 'Troj/Meterpre-I' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x64.dll belongs to virus/spyware 'Troj/Meterpre-I' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x86.debug.dll belongs to virus/spyware 'Troj/Meterpre-I' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\meterpreter\screenshot.x86.dll belongs to virus/spyware 'Troj/Meterpre-I' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$1$1.class belongs to virus/spyware 'Mal/JavaKC-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$1.class belongs to virus/spyware 'Mal/JavaKC-F' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit$2.class belongs to virus/spyware 'Mal/JavaImr-C' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\Exploit.class belongs to virus/spyware 'Mal/JavaKC-P' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0094\PayloadClassLoader.class belongs to virus/spyware 'Mal/JavaCL-C' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-0232\kitrap0d.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2010-0842\MixerMidiApplet.class belongs to virus/spyware 'Mal/JavaMid-D' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-4452\AppletX.class belongs to virus/spyware 'Mal/JavaCL-C' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2011-3544\Exploit.class belongs to virus/spyware 'Troj/JavaDl-FO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-1535\Main.swf belongs to virus/spyware 'Exp/20121535-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2012-4681\Exploit.class belongs to virus/spyware 'Mal/JavaExpl-D' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2012-5076\Exploit.class belongs to virus/spyware 'Exp/20125076-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-0074\SilverApp1.dll belongs to virus/spyware 'Mal/Generic-R' 
C:/metasploit/apps/pro/vendor/bundle/ruby/3.0.0/gems/metasploit-framework-6.2.29/data/exploits/cve-2013-0074/SilverApp1.xap/SilverApp1.dll belongs to virus/spyware 'Mal/Generic-R' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-0109\nvidia_nvsvc.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-1300\schlamperei.x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-2465\Exploit.class belongs to virus/spyware 'Exp/20132465-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2013-3660\ppr_flatten_rec.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-5045\CVE-2013-5045.dll belongs to virus/spyware 'Mal/Generic-R' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-5331\Exploit.swf belongs to virus/spyware 'Troj/ExpSWF-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0257\CVE-2014-0257.dll belongs to virus/spyware 'Mal/Generic-R' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0322\AsXploit.swf belongs to virus/spyware 'Troj/SWFExp-DB' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0497\Vickers.swf belongs to virus/spyware 'Troj/SWFExp-CZ' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0515\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0556\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-0569\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-4113\cve-2014-4113.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-4113\cve-2014-4113.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2014-8440\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0016\cve-2015-0016.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0311\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0313\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0336\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-0359\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-1701\cve-2015-1701.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-1701\cve-2015-1701.x86.dll belongs to virus/spyware 'Mal/Swrort-L' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-2426\reflective_dll.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3090\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3105\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3113\msf.swf belongs to virus/spyware 'Troj/SWFExp-LL' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-3673\exploit.daplug belongs to virus/spyware 'OSX/20153673-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2015-5119\msf.swf belongs to virus/spyware 'Troj/SWFExp-LD' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2016-0040\CVE-2016-0040.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2016-0051\cve-2016-0051.x86.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2016-0189\ieshell32.dll belongs to virus/spyware 'Troj/20160189-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2016-4655\exploit belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-0824\UnmarshalPwn.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-4237\ssudo belongs to virus/spyware 'OSX/Lotoor-C' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-8440\ALPC-TaskSched-LPE.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2018-8453\CVE-2018-8453.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2018-8897\reflective_dll.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2019-0808\exploit.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2019-1322\CVE-2019-1322-EXE.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2019-1458\exploit.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0787\CVE-2020-0787.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0787\CVE-2020-0787.x86.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-0796\CVE-2020-0796.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1048\cve-2020-1048-exe.Win32.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1048\cve-2020-1048-exe.x64.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-1054\exploit.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2020-1313\cve-2020-1313-exe.x64.exe belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2020-17136\cloudFilterEOP.exe belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2021-21551\CVE-2021-21551.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2021-40449\CVE-2021-40449.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-21882\CVE-2022-21882.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-26904\CVE-2022-26904.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2022-34918\ubuntu.elf belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\dell_protect\dell_protect.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\drunkpotato\drunkpotato.x64.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\drunkpotato\drunkpotato.x86.dll belongs to virus/spyware 'Mal/Swrort-AO' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\juicypotato\juicypotato.x64.dll belongs to virus/spyware 'ATK/JPotato-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\juicypotato\juicypotato.x86.dll belongs to virus/spyware 'ATK/JPotato-B' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\ntapphelpcachecontrol\exploit.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\office_word_macro\vbaProject.bin belongs to virus/spyware 'ATK/FatRat-F' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\powershell\powerdump.ps1 belongs to virus/spyware 'ATK/Nishang-I' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\powershell\powerfun.ps1 belongs to virus/spyware 'ATK/PowerFun-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\rottenpotato\rottenpotato.x64.dll belongs to virus/spyware 'ATK/RPotato-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\rottenpotato\rottenpotato.x86.dll belongs to virus/spyware 'ATK/RPotato-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\tpwn\tpwn belongs to virus/spyware 'OSX/tpwn-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\uso_trigger\uso_trigger.x64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\uso_trigger\uso_trigger.x86.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\execute-dotnet-assembly\HostingCLRx64.dll belongs to virus/spyware 'Harmony Loader' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\post\powershell\SharpHound.ps1 belongs to virus/spyware 'BloodHoundAD' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\apk\AndroidManifest.xml belongs to virus/spyware 'Andr/Bckdr-RXK' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\android\apk\classes.dex belongs to virus/spyware 'Andr/Bckdr-RXM' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-payloads-2.0.101\data\java\metasploit\Payload.class belongs to virus/spyware 'ATK/JMeter-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\mettle.sha1.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-iphone-darwin\bin\sniffer belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\aarch64-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\mettle.sha1.dylib belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\arm-iphone-darwin\bin\sniffer belongs to virus/spyware 'iPh/Swrort-BA' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5b-linux-musleabi\bin\mettle belongs to virus/spyware 'Linux/Swrort-H' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5b-linux-musleabi\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5l-linux-musleabi\bin\mettle belongs to virus/spyware 'Linux/Swrort-H' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\armv5l-linux-musleabi\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i486-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i486-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\i686-w64-mingw32\bin\mettle.exe belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mips-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mips64-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\mipsel-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-e500v2-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-e500v2-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-linux-muslsf\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc-linux-muslsf\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc64le-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\powerpc64le-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\s390x-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-apple-darwin\bin\mettle belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-apple-darwin\bin\sniffer belongs to virus/spyware 'OSX/Swrort-AX' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-linux-musl\bin\mettle belongs to virus/spyware 'Linux/Swrort-G' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-linux-musl\bin\mettle.bin belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit_payloads-mettle-1.0.20\build\x86_64-w64-mingw32\bin\mettle.exe belongs to virus/spyware 'Mal/Generic-S' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderpingTemplate_x64.exe belongs to virus/spyware 'ATK/TurtleLd-Q' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderpingTemplate_x86.exe belongs to virus/spyware 'ATK/TurtleLd-Q' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderping_x64.exe belongs to virus/spyware 'ATK/Herpaderp-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\evasion\windows\process_herpaderping\ProcessHerpaderping_x86.exe belongs to virus/spyware 'ATK/Herpaderp-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0840\vuln\Exploit$1.class belongs to virus/spyware 'Mal/JavaKC-H' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\cve-2010-0840\vuln\Exploit.class belongs to virus/spyware 'Mal/JavaKC-H' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\modules\exploits\windows\ftp\ftpshell_cli_bof.rb belongs to virus/spyware 'Exp/20187573-A' 
C:\metasploit\apps\pro\vendor\bundle\ruby\3.0.0\gems\metasploit-framework-6.2.29\data\exploits\CVE-2013-3906\word\media\image1.jpeg belongs to virus/spyware 'Exp/20133906-A'

0 LHerzog 11 months ago in reply to Sophos User930

Thanks for your reply 930!

Application control could be something we may consider about those pentesting tools. Do you know how thex work? Simply file names or hashes? That would be too easy to manipulate.

On the linux server using metasploit after installation works without issues. Still nothing from Sophos EP.

Eicar viruses have been placed on the disk with the installation of MS framework on the Linux machine.

/opt/metasploit-framework/embedded/framework/data/eicar.com

/opt/metasploit-framework/embedded/framework/data/eicar.txt

/opt/metasploit-framework/embedded/framework/modules/encoders/generic/eicar.rb

Looks like the Sophos agent for linux is only consuming CPU cycles, providing no AV features.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Stephens 9 months ago in reply to LHerzog

Hi,

On-access scanning works in the 2023.1 release of Sophos Protection for Linux which is currently halfway through its release cycle. I can see from the screenshot above that you are still on 2022.4 and are not yet updated.

The final GA rollout for on-access is today (1st Feb) so you should be updated by tomorrow.

The On-access scanning that is going out will alert to virus and eicar test detections once installed.

We are also planning on rolling out the Safestore quarantine feature which will move any malware detections to the safestore DB. This feature requires new flags to be set and this will be enabled in stages starting next week and continuing for 3 weeks from then.

thanks

Rick
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

Hi Rick,

thanks for your reply. The server was on 2023.01 yesterday already. Verified it today. Still eicar movement on the server is not detected. Real Time Scanning is not blocking anything. Just tried that.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to LHerzog

Qoosh I did that

saved policy

now it looks like:

enabled RTS again and saved:

cd /opt/metasploit-framework/embedded/framework/data/
/opt/metasploit-framework/embedded/framework/data$ cp eicar.com /tmp/
/opt/metasploit-framework/embedded/framework/data$ ls /tmp/eicar.com
/tmp/eicar.com
/opt/metasploit-framework/embedded/framework/data$ cat /tmp/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*/opt/metasploit-framework/embedded/framework/data$

date
Wed Feb 1 14:56:09 UTC 2023

rm /tmp/eicar.com
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Stephens 9 months ago in reply to LHerzog

Hi, I suspect it is the Central policy that needs to toggle on and save in the right order. I saved it off, then enabled it and saved again.

Once it is enabled, it does not block or stop anything at this stage (that comes with Safestore), only reports an alert in the av log and in Central.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

will try that. Have not seen any alert from linux OS since.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to LHerzog

so - a policy cannot be disabled - only settings within.

So once more I disabled Real time scan, saved

enabled Real time scan after some time, saved.

agent should have that change applied

cp /opt/metasploit-framework/embedded/framework/data/eicar.com /tmp/
/opt/sophos-spl$ ls -ali /tmp/eicar.com
130266 -rwxr-xr-x 1 localuser sudo 68 Feb 1 16:35 /tmp/eicar.com

no event logged again in central - are there useful logs on the endpoint about real time detection?
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh 9 months ago in reply to LHerzog

When testing this, I was able to generate some detections when downloading the eicar files. Moving files from removable media also returned detection and cleanup events.

Could you try downloading metasploit to see what happens this time?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Qoosh

I can download eicar without issues.

wget -O eicar.com hxxxs.||secure.eicar.org/eicar.com
--2023-02-02 08:11:26-- hxxxs.||secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68
Saving to: 'eicar.com'

eicar.com 100%[======================>] 68 --.-KB/s in 0s

2023-02-02 08:11:27 (84.1 MB/s) - 'eicar.com' saved [68/68]

wget -O eicar.com.zip hxxxs.||secure.eicar.org/eicar_com.zip
--2023-02-02 08:12:38-- hxxxs.||secure.eicar.org/eicar_com.zip
Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 184 [application/zip]
Saving to: 'eicar.com.zip'

eicar.com.zip 100%[======================>] 184 --.-KB/s in 0s

2023-02-02 08:12:39 (231 MB/s) - 'eicar.com.zip' saved [184/184]
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Stephens 9 months ago in reply to LHerzog

Hi ,

Lets first check that on-access is available and running on the system.

you can use the systemctl status sophos-spl command to see the running processes and look out for the onaccess process:

├─ 1116 /opt/sophos-spl/plugins/av/sbin/soapd

Go to the AntiVirus log location and check for the on-access log

/opt/sophos-spl/plugins/av/log/soapd.log

check here for any alerts generated by opening an eicar file.

If there are no alerts, please post the last 20 lines of the log.

Or open a case and I can do some more thorough trouble shooting .

Just to confirm one of my earlier points, there is nothing currently released to stop you opening detected files. At the moment on-access scanning will "only" report when there is a detection, it will not prevent anything or move any file.

thanks

Rick
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

soapd is not running

/opt/sophos-spl/plugins# systemctl status sophos-spl
● sophos-spl.service - Sophos Linux Protection
     Loaded: loaded (/lib/systemd/system/sophos-spl.service; enabled; vendor preset:>
     Active: active (running) since Tue 2023-01-31 14:16:12 UTC; 2 days ago
   Main PID: 728 (sophos_watchdog)
      Tasks: 113 (limit: 9256)
     Memory: 149.1M
        CPU: 4min 31.343s
     CGroup: /system.slice/sophos-spl.service
             ├─ 728 /opt/sophos-spl/base/bin/sophos_watchdog
             ├─ 814 /opt/sophos-spl/base/bin/CommsComponent
             ├─ 820 /opt/sophos-spl/base/bin/sophos_managementagent
             ├─ 827 /opt/sophos-spl/base/bin/sdu
             ├─ 832 /opt/sophos-spl/base/bin/python3 -m mcsrouter.mcs_router --no-da>
             ├─ 840 /opt/sophos-spl/base/bin/tscheduler
             ├─ 843 /opt/sophos-spl/base/bin/UpdateScheduler
             ├─ 847 /opt/sophos-spl/plugins/runtimedetections/bin/runtimedetections
             ├─ 848 /opt/sophos-spl/base/bin/CommsComponent
             ├─ 864 /opt/sophos-spl/plugins/eventjournaler/bin/eventjournaler
             └─1002 runtimedetections-trigger

So I guess soapd is the new module that is supposed to provide on-acces-scan? Is it not installed automatically when the agent upgrades to 2023.1? What would you suggest to get it running?

The av/log/soapd.log does not exist. The folder or module "av" does not exist.

/opt/sophos-spl/plugins# cd /opt/sophos-spl/plugins
/opt/sophos-spl/plugins# ls -li
total 8
387205 drwx------ 7 sophos-spl-user sophos-spl-group 4096 Dec 6 07:52 eventjournaler
387170 drwx------ 6 sophos-spl-user sophos-spl-group 4096 Dec 6 07:52 runtimedetections
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LHerzog 9 months ago in reply to Rick Stephens

soapd is not running

/opt/sophos-spl/plugins# systemctl status sophos-spl
● sophos-spl.service - Sophos Linux Protection
     Loaded: loaded (/lib/systemd/system/sophos-spl.service; enabled; vendor preset:>
     Active: active (running) since Tue 2023-01-31 14:16:12 UTC; 2 days ago
   Main PID: 728 (sophos_watchdog)
      Tasks: 113 (limit: 9256)
     Memory: 149.1M
        CPU: 4min 31.343s
     CGroup: /system.slice/sophos-spl.service
             ├─ 728 /opt/sophos-spl/base/bin/sophos_watchdog
             ├─ 814 /opt/sophos-spl/base/bin/CommsComponent
             ├─ 820 /opt/sophos-spl/base/bin/sophos_managementagent
             ├─ 827 /opt/sophos-spl/base/bin/sdu
             ├─ 832 /opt/sophos-spl/base/bin/python3 -m mcsrouter.mcs_router --no-da>
             ├─ 840 /opt/sophos-spl/base/bin/tscheduler
             ├─ 843 /opt/sophos-spl/base/bin/UpdateScheduler
             ├─ 847 /opt/sophos-spl/plugins/runtimedetections/bin/runtimedetections
             ├─ 848 /opt/sophos-spl/base/bin/CommsComponent
             ├─ 864 /opt/sophos-spl/plugins/eventjournaler/bin/eventjournaler
             └─1002 runtimedetections-trigger

So I guess soapd is the new module that is supposed to provide on-acces-scan? Is it not installed automatically when the agent upgrades to 2023.1? What would you suggest to get it running?

The av/log/soapd.log does not exist. The folder or module "av" does not exist.

/opt/sophos-spl/plugins# cd /opt/sophos-spl/plugins
/opt/sophos-spl/plugins# ls -li
total 8
387205 drwx------ 7 sophos-spl-user sophos-spl-group 4096 Dec 6 07:52 eventjournaler
387170 drwx------ 6 sophos-spl-user sophos-spl-group 4096 Dec 6 07:52 runtimedetections
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Rick Stephens 9 months ago in reply to LHerzog

Hi,

Once the component is updated, then the soapd process will run (whether on-access is enabled or not) so It looks like the component has not been fully updated.

This will show the base version and confirm whether that has been updated.

# /opt/sophos-spl/bin/version

PRODUCT_NAME = SPL-Base-Component
PRODUCT_VERSION = 1.2.2.17
BUILD_DATE = 2023-01-05

or if not upgraded yet

PRODUCT_NAME = SPL-Base-Component
PRODUCT_VERSION = 1.2.1.3
BUILD_DATE = 2022-10-18

Check the av plugin:

# more /opt/sophos-spl/plugins/av/VERSION.ini
PRODUCT_NAME = SPL-Anti-Virus-Plugin
PRODUCT_VERSION = 1.1.0.1644
BUILD_DATE = 2023-01-06

or if not upgraded

# more /opt/sophos-spl/plugins/av/VERSION.ini
PRODUCT_NAME = SPL-Anti-Virus-Plugin
PRODUCT_VERSION = 1.0.8.12
BUILD_DATE = 2022-10-17

If it has upgraded and you do not see the process or logfiles then we need to investigate why not.

If it has not been upgraded, then we should look at why it has not upgraded automatically. Perhaps try using "upgrade now" in Central.

thanks

Rick
Cancel
Vote Up +1 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

Thanks Rick,

/opt/sophos-spl/bin/version

Version information for Sophos Linux Protection

PRODUCT_NAME = SPL-Base-Component
PRODUCT_VERSION = 1.2.1.3
BUILD_DATE = 2022-10-18

I will try do re-install with the central installer manually.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to LHerzog

new version is now installed - but the av plugin is missing

root@:# ./sophossetup.sh
This software is governed by the terms and conditions of a licence agreement with Sophos Limited
Installation process for Sophos Protection for Linux started
Attempting to connect to Sophos Central
Successfully verified connection to Sophos Central
Successfully registered with Sophos Central
Successfully installed product
root@:# cd /opt/sophos-spl/
root@:/opt/sophos-spl# ls
base bin logs plugins shared tmp var
root@:/opt/sophos-spl# cd plugins/
root@:/opt/sophos-spl/plugins# ls
eventjournaler runtimedetections
root@:/opt/sophos-spl/plugins# /opt/sophos-spl/bin/version

Version information for Sophos Linux Protection

PRODUCT_NAME = SPL-Base-Component
PRODUCT_VERSION = 1.2.2.17
BUILD_DATE = 2023-01-05
COMMIT_HASH = 606006af2bd8111005b887fb5442761795481be5

root@:/opt/sophos-spl/plugins# ls
eventjournaler
runtimedetections
root@:/opt/sophos-spl/plugins#
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Stephens 9 months ago in reply to LHerzog

Hi,

I believe it is either still in the process of installing all the plugins or there is some license restriction.

This would be best handled as a Support case and if you wanted to troubleshoot yourself you could check the log

/opt/sophos-spl/logs/base/suldownloader.log

thanks

Rick
Cancel
Vote Up +1 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

thanks. will check out with support.

looks like the agent thinks it has AV installed but plugin folder still does not contain AV plugin.

/opt/sophos-spl/base/update/var/updatescheduler# tail installed_features.json
["APPCNTRL","AV","CORE","DLP","DVCCNTRL","EFW","HBT","LIVEQUERY","LIVETERMINAL","MDR","MTD","NTP","SAV","SDU","WEBCNTRL"]

1001    [2023-02-06T09:12:05.481]    INFO [3839546304] suldownloader <> Doing supplement-only update
1001    [2023-02-06T09:12:05.481]    INFO [3839546304] suldownloader <> Running in SDDS3 updating mode
1001    [2023-02-06T09:12:05.482]    INFO [3839546304] suldownloaderdata <> Successfully loaded previous config file
1002    [2023-02-06T09:12:05.482]    INFO [3839546304] SulDownloaderSDDS3 <> Trying SUS request (hxxps:||sus.sophosupd.com) without proxy
1257    [2023-02-06T09:12:05.737]    INFO [3839546304] suldownloaderdata <> SUS Request was successful
1258    [2023-02-06T09:12:05.738]    INFO [3839546304] suldownloaderdata <> Suite: 'sdds3.ServerProtectionLinux-Base_2023.1.0.33.bf7e6b86be.dat' is available to be downloaded.
1258    [2023-02-06T09:12:05.738]    INFO [3839546304] suldownloaderdata <> Suite: 'sdds3.ServerProtectionLinux-Plugin-AV_2023.1.0.33.5e28c03bd7.dat' is available to be downloaded.
1258    [2023-02-06T09:12:05.738]    INFO [3839546304] suldownloaderdata <> Suite: 'sdds3.ServerProtectionLinux-Plugin-EDR_2023.1.0.33.5c9b9d8fca.dat' is available to be downloaded.
1258    [2023-02-06T09:12:05.738]    INFO [3839546304] suldownloaderdata <> Suite: 'sdds3.ServerProtectionLinux-Plugin-MDR_2023.1.0.33.5682c8d738.dat' is available to be downloaded.
1259    [2023-02-06T09:12:05.739]    INFO [3839546304] suldownloaderdata <> Connecting to update source directly
1259    [2023-02-06T09:12:05.739]    INFO [3839546304] suldownloaderdata <> Performing Sync using hxxps:||sdds3.sophosupd.com:443
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Base-component' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-MDR' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-EDR' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-AV' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-liveresponse' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-RuntimeDetections' is up to date.
1784    [2023-02-06T09:12:06.265]    INFO [3839546304] suldownloader <> Downloaded Product line: 'ServerProtectionLinux-Plugin-EventJournaler' is up to date.
1786    [2023-02-06T09:12:06.266]    INFO [3839546304] suldownloader <> Update success
1786    [2023-02-06T09:12:06.266]    INFO [3839546304] suldownloader <> Generating the report file in: /opt/sophos-spl/base/update/var/updatescheduler

ls /opt/sophos-spl/plugins/
eventjournaler runtimedetections
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to LHerzog

Case 06153962 created
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Stephens 9 months ago in reply to LHerzog

That's great, thanks. I am monitoring the case.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to Rick Stephens

this is going the long road unfortunately.

AV is still missing and it's unclear why.

After fresh reinstall of Linux SPL

/opt/sophos-spl/bin/version

Version information for Sophos Linux Protection

PRODUCT_NAME = SPL-Base-Component
PRODUCT_VERSION = 1.2.2.17
BUILD_DATE = 2023-01-05

AV policies are missing

root@:/opt/sophos-spl# ls -l /opt/sophos-spl/base/mcs/policy/

total 16

-rw-r----- 1 sophos-spl-local sophos-spl-group 3309 Feb 22 08:55 ALC-1_policy.xml

-rw-r----- 1 sophos-spl-local sophos-spl-group 3757 Feb 22 08:52 CORE_policy.xml

-rw-r----- 1 sophos-spl-local sophos-spl-group 363 Feb 22 08:52 flags.json

-rw------- 1 sophos-spl-local sophos-spl-group 1619 Feb 22 08:52 MCS-25_policy.xml

root@:/opt/sophos-spl/plugins# ls -l

total 8

drwx------ 7 sophos-spl-user sophos-spl-group 4096 Feb 22 08:52 eventjournaler

drwx------ 6 sophos-spl-user sophos-spl-group 4096 Feb 22 08:52 runtimedetections

root@:/opt/sophos-spl/plugins#

root@:/opt/sophos-spl# cat /opt/sophos-spl/base/mcs/policy/flags.json

{"av.onaccess.enabled": true, "installer_download.enabled": false, "alc_obfuscation.enabled": false, "ga.liveterminal.enabled": false, "mcs.v2.data_feed.available": false, "eap.liveterminal.enabled": false, "safestore.enabled": true, "livequery.network-tables.available": true, "jwt-token.available": false, "sdds3.enabled": true, "scheduled_queries.next": false}

Debug install log:

sudo export DEBUG_THIN_INSTALLER=1; bash -x ./SophosSetup.sh 2>&1 | tee install.log
sudo: export: command not found
+ umask 077
+ echo 'This software is governed by the terms and conditions of a licence agreement with Sophos Limited'
This software is governed by the terms and conditions of a licence agreement with Sophos Limited
+ args=
+ VERSION=1.2.3.5
+ PRODUCT_NAME='Sophos Protection for Linux'
+ INSTALL_FILE=./SophosSetup.sh
++ echo
++ sed s/--/x--/g
+ escaped_args=
+ [[ '' == *\x\-\-\h\e\l\p* ]]
+ [[ x == \x\-\h ]]
+ [[ '' == *\x\-\-\v\e\r\s\i\o\n* ]]
+ [[ x == \x\-\v ]]
+ EXITCODE_SUCCESS=0
+ EXITCODE_NOT_LINUX=1
+ EXITCODE_NOT_ROOT=2
+ EXITCODE_NO_CENTRAL=3
+ EXITCODE_NOT_ENOUGH_MEM=4
+ EXITCODE_NOT_ENOUGH_SPACE=5
+ EXITCODE_FAILED_REGISTER=6
+ EXITCODE_ALREADY_INSTALLED=7
+ EXITCODE_SAV_INSTALLED=8
+ EXITCODE_NOT_64_BIT=9
+ EXITCODE_DOWNLOAD_FAILED=10
+ EXITCODE_FAILED_TO_UNPACK=11
+ EXITCODE_CANNOT_MAKE_TEMP=12
+ EXITCODE_VERIFY_INSTALLER_FAILED=13
+ EXITCODE_SYMLINKS_FAILED=14
+ EXITCODE_CHMOD_FAILED=15
+ EXITCODE_NOEXEC_TMP=16
+ EXITCODE_DELETE_INSTALLER_ARCHIVE_FAILED=17
+ EXITCODE_BASE_INSTALL_FAILED=18
+ EXITCODE_BAD_INSTALL_PATH=19
+ EXITCODE_INSTALLED_BUT_NO_PATH=20
+ EXIT_FAIL_WRONG_LIBC_VERSION=21
+ EXIT_FAIL_COULD_NOT_FIND_LIBC_VERSION=22
+ EXITCODE_UNEXPECTED_ARGUMENT=23
+ EXITCODE_BAD_GROUP_NAME=24
+ EXITCODE_GROUP_NAME_EXCEEDS_MAX_SIZE=25
+ EXITCODE_DUPLICATE_ARGUMENTS_GIVEN=26
+ EXITCODE_BAD_PRODUCT_SELECTED=27
+ EXITCODE_REGISTRATION_FAILED=51
+ EXITCODE_AUTHENTICATION_FAILED=52
+ SOPHOS_INSTALL=/opt/sophos-spl
+ PROXY_CREDENTIALS=
+ MAX_GROUP_NAME_SIZE=1024
+ VALID_PRODUCTS=("antivirus" "mdr" "xdr")
+ REQUEST_NO_PRODUCTS=none
+ BUILD_LIBC_VERSION=2.17
++ ldd --version
++ grep 'ldd (.*)'
++ rev
++ rev
++ cut -d ' ' -f 1
+ system_libc_version=2.35
+ unset ALLOW_OVERRIDE_MCS_CA
+ build_version_less_than_system_version
++ printf '%s\n' 2.17 2.35
++ sort -V
++ head -n 1
+ lowest_version=2.17
+ test 2.17 '!=' 2.17
+ uname -a
+ grep -i Linux
+ '[' 0 -eq 1 ']'
++ id -u
+ '[' 0 -ne 0 ']'
++ uname -m
+ MACHINE_TYPE=x86_64
+ '[' x86_64 = x86_64 ']'
+ BIN=installer/bin
+ declare -a INSTALL_OPTIONS_ARGS
+ check_for_duplicate_arguments
+ declare -a checked_arguments
+ FORCE_UNINSTALL_SAV=0
++ which sweep
+ SWEEP=
+ '[' -x '' ']'
+ check_SAV_installed /usr/local/bin/sweep
+ local path=/usr/local/bin/sweep
++ readlink /usr/local/bin/sweep
++ sed 's/bin\/savscan//g'
+ local sav_instdir=
+ [[ '' == '' ]]
+ return
+ check_SAV_installed /usr/bin/sweep
+ local path=/usr/bin/sweep
++ readlink /usr/bin/sweep
++ sed 's/bin\/savscan//g'
+ local sav_instdir=
+ [[ '' == '' ]]
+ return
+ '[' -n '' ']'
+ '[' -z '' ']'
+ TMPDIR=/tmp
+ export TMPDIR
+ '[' -z '' ']'
++ sophos_mktempdir SophosCentralInstall
+++ which mktemp
++ _mktemp=/usr/bin/mktemp
++ '[' -x /usr/bin/mktemp ']'
++ _tmpdirTemplate=/tmp/SophosCentralInstall_XXXXXXX
+++ /usr/bin/mktemp -d /tmp/SophosCentralInstall_XXXXXXX
++ _tmpdir=/tmp/SophosCentralInstall_8SCljmU
++ '[' 0 = 0 ']'
++ '[' '!' -d /tmp/SophosCentralInstall_8SCljmU ']'
++ echo /tmp/SophosCentralInstall_8SCljmU
+ SOPHOS_TEMP_DIRECTORY=/tmp/SophosCentralInstall_8SCljmU
+ mkdir -p /tmp/SophosCentralInstall_8SCljmU
+ echo 'exit 0'
+ chmod +x /tmp/SophosCentralInstall_8SCljmU/exectest
+ /tmp/SophosCentralInstall_8SCljmU/exectest
++ awk '/^__MIDDLE_BIT__/ {print NR + 1; exit 0; }' ./SophosSetup.sh
+ MIDDLEBIT=670
++ awk '/^__UPDATE_CACHE_CERTS__/ {print NR + 1; exit 0; }' ./SophosSetup.sh
+ UC_CERTS=
++ awk '/^__ARCHIVE_BELOW__/ {print NR + 1; exit 0; }' ./SophosSetup.sh
+ ARCHIVE=679
+ '[' -n '' ']'
++ expr 679 - 670 - 1
+ MIDDLEBIT_SIZE=8
+ tail -n+670 ./SophosSetup.sh
+ head -8
+ tail -n+679 ./SophosSetup.sh
+ cd /tmp/SophosCentralInstall_8SCljmU
+ '[' -z '' ']'
++ grep CUSTOMER_TOKEN= credentials.txt
++ sed s/CUSTOMER_TOKEN=//
+ CUSTOMER_TOKEN=df6f4312-xxxxxxxxxxxxxxx3632ab
+ CUSTOMER_TOKEN_ARGUMENT='--customer-token df6f4312-xxxxxxxxxxxxxxx3632ab'
+ '[' -z '' ']'
++ grep -v CUSTOMER_TOKEN= credentials.txt
++ grep TOKEN=
++ sed s/TOKEN=//
+ CLOUD_TOKEN=xxxxxxxxxxxxxxx
+ '[' -z '' ']'
++ grep URL= credentials.txt
++ sed s/URL=//
+ CLOUD_URL=mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep
++ grep MESSAGE_RELAYS= credentials.txt
++ sed s/MESSAGE_RELAYS=//
+ MESSAGE_RELAYS=
+ '[' -n '' ']'
+ INSTALL_OPTIONS_FILE=/tmp/SophosCentralInstall_8SCljmU/install_options
++ grep UPDATE_CACHES= credentials.txt
++ sed s/UPDATE_CACHES=//
+ UPDATE_CACHES=
+ '[' -n '' ']'
++ grep PRODUCTS= credentials.txt
++ sed s/PRODUCTS=//
+ INSTALLER_PRODUCTS=all
+ '[' -n all ']'
+ '[' -z '' ']'
+ '[' all '!=' all ']'
+ REGISTER_CENTRAL=/opt/sophos-spl/base/bin/registerCentral
+ EXISTING_SSPL_PATH=
+ force_argument
+ echo ''
+ grep -q '.*--force'
+ is_sspl_installed
+ systemctl list-unit-files
+ grep -q sophos-spl
+ '[' -d /opt/sophos-spl ']'
+ check_free_storage 2048
+ local space=2048
+ local install_path=/opt
+ '[' -z /opt ']'
+ echo /opt
+ grep -q '^/'
+ '[' '!' -d /opt ']'
++ df -kP /opt
++ sed -e 1d
++ awk '{print $4}'
+ local free=138361772
++ df -kP /opt
++ sed -e 1d
++ awk '{print $6}'
+ local mountpoint=/
+ local free_mb
+ free_mb=135118
+ '[' 135118 -gt 2048 ']'
+ return 0
+ check_install_path_has_correct_permissions
+ local install_path=/opt
+ '[' -z /opt ']'
+ '[' '!' -d /opt ']'
+ '[' /opt '!=' / ']'
++ stat -c %A /opt
+ permissions=drwxr-xr-x
+ [[ x != \x ]]
+ install_path=
+ '[' -z ']'
+ install_path=/
+ '[' / '!=' / ']'
+ check_total_mem 930000
+ local neededMemKiloBytes=930000
++ grep MemTotal /proc/meminfo
++ awk '{print $2}'
+ local totalMemKiloBytes=7945728
+ '[' 7945728 -gt 930000 ']'
+ return 0
+ tar -zxf installer.tar.gz
+ rm -f installer.tar.gz
+ export LD_LIBRARY_PATH=installer/bin64:installer/bin32
+ LD_LIBRARY_PATH=installer/bin64:installer/bin32
+ echo 'Installation process for Sophos Protection for Linux started'
Installation process for Sophos Protection for Linux started
+ MCS_TOKEN=xxxxxxxxxxxxxxx
+ MCS_URL=mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep
+ mkdir -p /opt/sophos-spl/base/etc/sophosspl
+ echo '[global]'
+ echo 'VERBOSITY = INFO'
+ FORCE_UNINSTALL_SAV=0
+ installer/bin/installer credentials.txt xxxxxxxxxxxxxxx mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep --customer-token df6f4312-xxxxxxxxxxxxxxx3632ab
Attempting to connect to Sophos Central
Successfully verified connection to Sophos Central
+ handle_register_errorcodes 0
+ errcode=0
+ '[' 0 -eq 44 ']'
+ '[' 0 -eq 0 ']'
+ echo 'Successfully registered with Sophos Central'
Successfully registered with Sophos Central
+ mkdir -p /opt/sophos-spl/base/update/rootcerts
+ mkdir -p /opt/sophos-spl/base/update/var/updatescheduler
+ mkdir -p /opt/sophos-spl/var/sophosspl
+ mkdir -p /opt/sophos-spl/base/update/cache
+ mkdir -p /opt/sophos-spl/var/lock
+ CERT=installer/bin/../rootca.crt
+ '[' -n ']'
+ CERT=/rootca.crt
+ '[' -f /rootca.crt ']'
+ CERT=installer/bin/../rootca.crt
+ cp installer/bin/../rootca.crt /opt/sophos-spl/base/update/rootcerts/rootca.crt
+ CERT=installer/bin/../rootca384.crt
+ '[' -n ']'
+ CERT=/rootca384.crt
+ '[' -f /rootca384.crt ']'
+ CERT=installer/bin/../rootca384.crt
+ cp installer/bin/../rootca384.crt /opt/sophos-spl/base/update/rootcerts/rootca384.crt
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ cp mcs.config /opt/sophos-spl/base/etc
+ cp mcsPolicy.config /opt/sophos-spl/base/etc/sophosspl/mcs.config
+ [[ -n '' ]]
+ [[ -n '' ]]
+ installer/bin/SulDownloader update_config.json /opt/sophos-spl/base/update/var/updatescheduler/update_report.json
+ inst_ret=0
+ handle_installer_errorcodes 0
+ errcode=0
+ '[' 0 -eq 44 ']'
+ '[' 0 -eq 0 ']'
+ echo 'Successfully installed product'
Successfully installed product
+ cleanup_and_exit 0
+ '[' -z '' ']'
+ rm -rf /tmp/SophosCentralInstall_8SCljmU
+ exit 0
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog 9 months ago in reply to LHerzog

OK, so the installer script is not working properly. It does not install AV automatically. Probably when AV Scanning it is NOT enabled in the DEFAULT policy for servers. We only have a test policy and need to assign test servers of that feature to the policy manually.

I gave it a chance and explicitely installed antivirus component manually (SPL already installed)

root@:/home/xxx# ./SophosSetup.sh --products=antivirus
This software is governed by the terms and conditions of a licence agreement with Sophos Limited
Found existing installation here: /opt/sophos-spl
Attempting to register existing installation with Sophos Central
Central token is [xxxxxxxxx], Central URL is [https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep]
Registering with Sophos Central
Now managed by Sophos Central

Unfortunately this created a new DUPLICATE in Central WHY? Removed the old duplicate, assigned the new to the test policy in Central.
After some minutes the new plugins and policy files appeared.

root@:/home/xxx# ls -l /opt/sophos-spl/plugins/
total 24
drwxr-x--x 8 root            sophos-spl-group 4096 Feb 22 09:38 av
drwx------ 9 root            root             4096 Feb 22 09:38 edr
drwx------ 7 sophos-spl-user sophos-spl-group 4096 Feb 22 08:52 eventjournaler
drwx------ 7 root            root             4096 Feb 22 09:38 liveresponse
drwx------ 7 root            root             4096 Feb 22 09:38 mtr
drwx------ 6 sophos-spl-user sophos-spl-group 4096 Feb 22 08:52 runtimedetections

root@:/home/xxx# ls -l /opt/sophos-spl/base/mcs/policy
total 44
-rw-r----- 1 sophos-spl-local sophos-spl-group 3309 Feb 22 09:38 ALC-1_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 4816 Feb 22 09:40 CORC_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 3753 Feb 22 09:40 CORE_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 363 Feb 22 09:38 flags.json
-rw-r----- 1 sophos-spl-local sophos-spl-group 663 Feb 22 09:40 LiveQuery_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 1619 Feb 22 09:38 MCS-25_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 435 Feb 22 09:40 MDR_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 370 Feb 22 09:40 SAV-19_policy.xml
-rw-r----- 1 sophos-spl-local sophos-spl-group 6394 Feb 22 09:40 SAV-2_policy.xml

it even works on MSF "own" eicar.
Cancel
Vote Up 0 Vote Down

Cancel
+1 LHerzog 7 months ago in reply to LHerzog

whoever may find this:

The issue that the AV plugin was not installed automatically was caused by our server update base policy in central. we have enabled a day and time for updates.This causes a bug situation with the installer script.

most customers may have this unset, so it works.

the workaround for us is currently:

re-install over the existing installation ./SophosSetup.sh --products=antivirus

I'm glad that Sophos is going to have this fixed soon as regarding to the support case.
Cancel
Vote Up +2 Vote Down

Cancel