Thread Info
  • Replies 0 replies
  • Subscribers 15 subscribers
  • Views 4135 views
  • Users 0 members are here
Options
Suggested

Security Health - Running malware in quarantine or cleanup failure

DianneY

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Community,

Below is a possible guideline to follow when you see that a Device's status in Sophos Central shows:

Security Health - Running malware in quarantine or cleanup failure

You may see events such as (but are not limited to):

Nov 20, 2019 12:13 PM Running malware locally cleared: 'HPmal/Crusher-N' at 'C:\Windows\SysWOW64\cmd.exe'
Nov 20, 2019 12:13 PM Running malware detected: 'HPmal/Crusher-N' at 'C:\Windows\SysWOW64\cmd.exe'

Security health will often show a red exclamation point, and the events would show "cleared" and then "detected", which seems to happen either randomly, or on what seems to be a scheduled interval (i.e. on startup, etc.). 

Sometimes it is a scheduled task that is running a script that seems unusual, but may be causing behavior that is malicious and is triggering a detection. Consider running Microsoft Autoruns to see if there are any unusual programs that are running automatically, and is triggering the detection.

For more information on MS Autoruns, it is recommended to read the official article here: https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx. Note: Always run MS Autoruns as Admin (with elevated permissions).

If the file name, Publisher, or Description has rather unusual information or is missing (or Not verified), it may be highlighted with yellow or pink for easy identification. When an entry is clicked on it is highlighted, more information is shown, such as the command line, on the bottom pane of the Autoruns app window.

Once you have located the process that is running some script that seems unusual, you can send the script sample or so that is being run to Sophos Labs for further review, and remove this from the machine. Once done, do another system scan to see if something is still being detected, or, if possible, re-do the steps to reproduce the detection.



Edit Disclaimer
[edited by: GlennSen at 9:49 AM (GMT -7) on 5 Apr 2023]
Unfiltered HTML