This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Infected file libtsr.so forced Sophos server AV Free uninstall - bug?

Hi.

I need help with fixing an issue with Sophos AV server Free.

Issue: We have a KVM server with one website into it. On 24th August 2018 the email clients were suddenly not able to login into the email server. Seems like this happened after a Wordpress or a Sophos upgrade.

Our hosting company found out Sophos AV was blocking access to the email server. They could not find the reason and they had to disable Sophos in the server. Meanwhile, I received around 5,000 (five thousand) warning emails from Sophos AV, telling me that a file was infected: "The antivirus is detecting an infected file A threat classified as 'Mal/Generic-S' was detected in the file '/usr/lib64/libtsr.so' when attempting to open it at Fri Aug 24 16:34:00 2018 EDT -0900 (2018-08-24 20:34:00 UTC). Access to the infected file was not allowed."

Seems like this libtsr.so file belongs to Sophos AV or so has told me the hosting company. I had immediatly deleted this offending file through SSH but then the hosting company could not uninstall Sophos. They restored the file into the server and uninstalled Sophos AV Free. The offending file libtsr.so was uninstalled too.

Solution: All in all the issue was solved. We had some work to delete the 5,000 emails received from Sophos AV. But I want to use Sophos AV in my server as it is better than CLAMAV. However, I need first to be sure about why the issue happened and make sure it will not happen again.

Question: anybody can help me find out why the file libtsr.so was getting flagged by Sophos itself as an infected file. is this really a Sophos file? Was it really infected or this could be a false flagging/bug? I wonder if this issue was reported by other and is already fixed?

Any advice is welcome.

Rgs.

IM



This thread was automatically locked due to age.
Parents
  • Hello IM,

    I'm not aware that Sophos puts anything into /usr/lib or /usr/lib64 ( could you confirm?) and the name is odd. That its absence prevented and uninstall and that after it was restored the uninstall succeeded and took it with it is even stranger.

    why the file libtsr.so was getting flagged
    if you still have a sample please submit it to Sophos. As the name implies the detection is generic, no definitely known threat but something in the file is very suspicious.

    Christian

  • /usr/lib64/libtsr.so isn't part of SAV.

     

    I haven't heard of it before, and can't find out about it from google. The little I've seen suggests it might be part of a remote shell attack.

     

    The vast majority of file of SAV are installed to the installation directory. We do copy a few files, and symlink some others outside, but not libraries.

Reply
  • /usr/lib64/libtsr.so isn't part of SAV.

     

    I haven't heard of it before, and can't find out about it from google. The little I've seen suggests it might be part of a remote shell attack.

     

    The vast majority of file of SAV are installed to the installation directory. We do copy a few files, and symlink some others outside, but not libraries.

Children
  • QC and Douglas, thank you very much for your reply.

     

    I checked the server again, and to my surprise the file libtsr.so is still there. 

     

    Seems like this file libtsr.so has something to with the (LAMP) server, here you have the information from the hosting company:

     

    I googled the name of this file and no relevant information came from the search. Seems like it is related to Linux, but I am not sure. This is starting to sound strange. Why the hosting company would reinstall a file that is flagged as an exploit. Douglas mentioned that this file is not part of SAV, is this file necessary to install, uninstall SAV Free?

    I am attaching it as a zipped file to this reply. This is not the same file version that caused SAV to flag it as an exploit in 24th August and sent around 5,000 warning emails to me. The date of this file is 27th August, most probably the one that the hosting company put back in the server to "uninstall SAV" they said.

    Please, could you check it and revert to me? If you give me the green light I will reinstall Sophos on the server.

    Rgs

    IM

  • I'm afraid I can't look at potentially malicious files: You'll have to submit it through the link QC posted earlier. 

  • Ops, sorry. I will upload the file and post here the results when I get them.