The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The tmp.edb and other .edb files generate an unexpected detection. The .edb is not included in the default on-access scanner extension list. This alert may also occur when behavior monitoring is enabled.
File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.
When the location is investigated, the file often no longer exists.
The reported locations are:
This is caused when Windows security database files (.edb) are scanned as part of behavior monitoring or when on-access scanner needs to verify that the file type is as the filename suffix states. This can occur regardless of the on-access scanned extensions list. These files can contain a structure that the on-access scanner may interpret as malicious when the file is in transitional state (i.e.this is considered as a false positive).
Applies to the following Sophos product and version Sophos Endpoint Security and Control 9.7
See, Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows by Microsoft. We recommend only adding the necessary exclusions.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.