This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False malware with Volsoft?

We've recently updated to Endpoint and have an unusual issue with one of our users recently migrated to Win10 and Endpoint.  Whenever they attempt to launch Volunteer Reporter by Volsoft it is blocked by Sophos.  I am awaiting a local screenshot from our tech dealing with issue directly.  Whenever I pull the Endpoint report for that machine the only event relatable to the incident is " Access was blocked to "">http://iyfbodn.com/px.js?ch=2" because of "Mal∕HTMLGen-A"."  We have run a manual update as well as scans with no malware or virus found or indicated.  The tech contacted Volsoft and received the following...

"Subject: Volsoft Sophos Issue

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Sophos has been an ongoing and random problem for us.  This is due to Sophos AV blocking our files without warning or logs.  You will also notice that Sophos will continue to block our program files even after the client is disengaged on the user’s PC.  The only way to prove that Sophos is the problem is to completely uninstall it from the PC and attempt to open The Reporter.  You will notice that The Reporter will open without issue after uninstalling (you will need to use the Sophos cleanup tool https://support.sophos.com).  The Sophos client must be uninstalled, exceptions added to the administrative console on the server, then re-installed on the user’s PC.  We have been dealing with this issue for over 3 years, but Sophos will not whitelist our files because we are not Sophos customers.

 

If the following exceptions are added to Sophos and you are still having problems, you must contact Sophos with the issue.

 

Add exceptions for the following files and/or folders:

 

File extensions:

.DBF

.DBT

.MDX

 

Files with these extensions are located in the Data Set folder on the network share.

 

Files:

PLUSRUN.EXE  (must be all caps)

Reporter.exe

Reporter.dll

 

These files are located in “C:\Program Files (x86)\Volunteer Software\Reporter\Program” on the client/workstation.

 

 

Folders (if you choose to add full folders):

64-bit PCs:    C:\Program Files (x86)\Volunteer Software\Reporter\Program

32-bit PCs:    C:\Program Files\Volunteer Software\Reporter\Program

64-bit PCs:    C:\Program Files (x86)\ Reporter\Program

32-bit PCs:    C:\Program Files\ Reporter\Program

 

We have also received the following information about adding PLUSRUN.EXE to Sophos Admin Console:

- Login to Sophos Central
- Global Settings
- Global Exclusions
- Add Exclusion
- Exclusion Type : Exploit Mitigation (Windows)
- Scroll down to "Application not listed?"
- Give the whole path of application (C:\Program Files (x86)\Volunteer Software\Reporter\Program\PLUSRUN.EXE)    [must be all CAPS]
- Click on Add
- Save

 

 

Please let me know if you need any assistance or further explanation of these issues."

So we've got some finger pointing here but hopefully the community here has either some experience or insight with this issue.

Thank you!



This thread was automatically locked due to age.
  • Hi Joseph,

    Thanks for reaching out to the Sophos Community Forum. 

    Checking on some of the cases we've received in the past I was able to locate the following exclusions list. Depending on the version you have installed, the folder locations may vary slightly, namely v6.8's directory structure. Let me know if you need that as well.

    Process exclusions for:

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\PLUSRUN.EXE

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\reporter.dll

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\Reporter.exe

    File and Folder exclusions for:

    *.DBF

    *.DBT

    *.MDX

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\

    C:\Program Files\Volunteer Software\Reporter\Program\

    C:\Program Files (x86)\Reporter\Program\

    C:\Program Files\Reporter\Program\

    Exploit Mitigation exclusions for:

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\PLUSRUN.EXE

    C:\Program Files (x86)\Reporter\Program\PLUSRUN.EXE

    C:\Program Files\Reporter\Program\PLUSRUN.EXE

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\Reporter.dll

    C:\Program Files (x86)\Reporter\Program\Reporter.dll

    C:\Program Files\Reporter\Program\Reporter.dll

    C:\Program Files (x86)\Volunteer Software\Reporter\Program\reporter.exe

    C:\Program Files (x86)\Reporter\Program\reporter.exe

    C:\Program Files\Reporter\Program\reporter.exe

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids