Virus name on detection

Hi Patrick,

Please can you advise which version of Sophos AntiVirus for NetApp you are running? Is the scanning server running a managed or unmanaged version of Sophos AV? Again which version and on what OS?

Regards,

Stephen

Hi,

Sophos Anti-Virus for NetApp is version 3.0.0 running on Windows Server 2012. I'm not sure to understand what you mean by scanning server, we have a single server on which I installed all Sophos components ("Sophos Endpoint Security and Control" version 10.6 and the MMC console "Sophos Anti-Virus for NetApp" version 3.0.0).

The Netapp filers are running OnTap 8.2.3 (7Mode) and uses fpolicy to connect to the scanning server.

Thank you

Patrick

Hi Patrick,

Are you running a standalone version of Sophos Endpoint Secrity and Control, or is it managed by a Sophos Enterprise Console?

If it is standalone have you configured the OnAccess settings for Sophos Endpoint Security and Control? What are the cleanup options?

You should see events on the scanning server that is running Sophos, are you not?

Anyway, SAV.txt in the programdata\Sophos\Sophos Anti-Virus\logs is the best place to locate the data

Regards,

Stephen

Hi Stephen,

Thank you for looking at that.

I guess I use a standalone version as I have no Enterprise Console around.

The cleanup settings are : Clean automatically

If cleanup fails, deny and move in :C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

Suspect files, deny and move in : C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

I do not see the events on the scanning server, as I have the feeling that "Sophos Endpoint Security and Control" is only used to run autoupdates...

In SAV.txt I have events like (I translate because the log is in french, I guess the install used the regional settings) :

20160923 084725 Running version 5.31 of data detection (detection engine 3.64.3). This version detects 11947014 elements.

or

20160923 084229 Control of  "\\192.168.z.y\ONTAP_ADMIN$\vol\DATA\DATA\Something\Somethingelse.docx" returned a SAV error Interface 0xa0040212: File is crypted.

Which is better as it shows a relation with the filer.

But no entry about the detection, these entries are visible only on the filer in /etc/messages :

Fri Sep 23 14:18:27 CEST [filer:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\Users\Thatguy\AppData\Roaming\Mozilla\Firefox\Profiles\uxe05pl8.default\sessionCheckpoints.json.tmp in share Shared$ accessed by client 192.168.x.y () running as user t.guy may be infected. The filer received status message Code 2, file is infected.  and error code [0x2] from vscan (anti-virus) server 192.168.z.y.

Thank you for your help

Patrick

Hi Patrick,

It will be worth doing some testing to make sure things are working correctly; are you familiar with the EiCAR test string? http://www.eicar.org/86-0-Intended-use.html
Copy the text string towards the bottom of the page and save it into a text file on the Sophos scanning server 192.168.z.y; depending on your settings you may need to make the file executable by chaning the extension to .com or .exe

Sophos should detect the file and make enteries in SAV.txt and the event viewer etc

Try the test again using ONTAP and see if that works in the same way

Stephen

Done and weird results :

When I copy the file on the scanning server I get in SAV.txt :

20160926 122635 File "C:\Tempo\EicarTest.txt" belongs to virus/spyware 'EICAR-AV-Test'.
20160926 122636 The file "C:\Tempo\EicarTest.txt" was cleaned.
20160926 122637 The virus/spyware 'EICAR-AV-Test' was deleted.

When I copy on the filer I get in SAV.txt

20160926 123249 Virus/spyware 'EICAR-AV-Test' detected in '\\192.168.103.244\ONTAP_ADMIN$\vol\Echange\eicar - Copie.txt'. Cleaning impossible.
20160926 123249 Infected file "\\192.168.103.244\ONTAP_ADMIN$\vol\\eicar - Copie.txt" moved in "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\eicar - Copie.txt.000".

And the entries in /etc/messages on the filer :

Mon Sep 26 14:32:49 CEST [stor04a:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\Echange\eicar - Copie.txt in share Echange accessed by client 192.168.3.41 () running as user s.user may be infected. The filer received status message Code 5, file is infected.  and error code [0x5] from vscan (anti-virus) server 192.168.103.43.

I even tried with a real virus with the same results, therefore things seems to work normally.

BUT I still have messages in /etc/messages like

Mon Sep 26 11:18:45 CEST [stor04b:vscan.virus.detected:error]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\s.user\AppData\Roaming\Mozilla\Firefox\Profiles\t0310khb.default\sessionCheckpoints.json.tmp in share blabla$ accessed by client 192.168.3.43 () running as user s.user may be infected. The filer received status message Code 2, file is infected.  and error code [0x2] from vscan (anti-virus) server 192.168.103.43.

with nothing coming up in SAV.txt

The only difference I see is the code returned by the scanning server 0x5 with Eicar and real virus and 0x2 with the failing ones. I realized that I missed informations in my logs precisley because I was looking what was wrong with the detections in Firefox profiles files.

Thank you

Patrick

Hello Patrick,

The return code 2 means that the file wasnt found; you can see them here: https://kb.netapp.com/support/s/article/how-to-determine-the-meaning-of-mcafee-vscan-errors

All vendors use the same status used by the OnTap interface

Stephen

Thanks a lot,

I can confirm that the messages are linked to temporary files which makes sense with "file not found" (at least for my recent logged events). Sad I did not find the document you linked myself...

I'll configure my alerting system to ignore code 2 events.

Again, thank you for your help.

Patrick