Advisory: Sophos Endpoint - "Your connection isn't private" We're aware of a certificate issue and are actively working to resolve. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fragments found, how do I go about finding more

Running SAV on Ubuntu, I was scanning drives of a Windows-virtual machine (mounted the VMDK-files) and the memory-snapshot of that VM (i.e. the SnapshotXX.vmem), using the following command:

  • savscan -dn -f --no-stop-scan -rec -archive /mnt/windows_mount

I added -dn to see it making progress, -f for full scan, --no-stop-scan to force scanning large files as the pagefile.sys, -rec for recursive scanning (obviously), and all -archive

SAV reports two hits

  1. fragments of a malware in pagefile.sys (the mounted VMDK-files)
  2. fragments of another malware i the VMEM-file

To rule out false positive, how do I go about finding more useful information than of the above?

Kind regards



This thread was automatically locked due to age.
Parents
  • Did you pull the 2 hits from the logs and was that all the available detail in there-

     

    Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus log and syslog. In addition, virus and error events are logged in the Sophos Anti-Virus log. ■ To view the Sophos Anti-Virus log, use the command savlog. This can be used with various options to restrict the output to certain messages and to control the display. For example, to display all messages logged to the Sophos Anti-Virus log in the last 24 hours, and to display the date and time in UTC/ISO 8601 format, type: /opt/sophos-av/bin/savlog --today --utc ■ To see a complete list of the options that can be used with savlog, type: man savlog

    Respectfully, 

     

    Badrobot

     

Reply
  • Did you pull the 2 hits from the logs and was that all the available detail in there-

     

    Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus log and syslog. In addition, virus and error events are logged in the Sophos Anti-Virus log. ■ To view the Sophos Anti-Virus log, use the command savlog. This can be used with various options to restrict the output to certain messages and to control the display. For example, to display all messages logged to the Sophos Anti-Virus log in the last 24 hours, and to display the date and time in UTC/ISO 8601 format, type: /opt/sophos-av/bin/savlog --today --utc ■ To see a complete list of the options that can be used with savlog, type: man savlog

    Respectfully, 

     

    Badrobot

     

Children