Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
since this morning we have a lot of alert on PC:
File "C:\Windows\winsxs\Temp\PendingRenames\75f17bdfbd1dd401621600005c0e040d.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791" belongs to virus/spyware 'Mal/Generic-S'.
If we open the status of a PC in the console we have this entries:Items detected Date/time Type Name Sub-type Details Reference Action taken Username 17/07/2018 09:18:02 Virus/spyware Mal/Generic-S C:\Windows\winsxs\Temp\PendingRenames\da32d2489e1dd40162160000a001140c.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791 Removed from quarantine listNT AUTHORITY\SYSTEM17/07/2018 09:17:57 Virus/spyware Mal/Generic-S C:\Windows\winsxs\Temp\PendingRenames\da32d2489e1dd40162160000a001140c.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791 Blocked NT AUTHORITY\SYSTEM
If I do a manual scan, nothing detected. Is there a chance of a false positive?
All the best.
We are investigating this at the moment. Can you tell me if you are still getting new alerts now?
We are getting the same alert from Sophos here. It seems like a false positive on that dll, which looks like it is being updated as part of a Windows Update.
Can you tell what Windows Updates were pushed out today.
Also other than the detection is there any impact caused by this? does the Windows Update break for example?
no more alerts since 1 hour ;-) maybe a new signature.
Same thing here with my Windows Update test machines. Is Sophos looking into this?
We pushed out this months batch of Windows Updates, and we only saw it on our Windows 7 installs (all x64).
Doesn't appear to be affecting the computers as far as I can tell, plus we haven't had any more alerts since the initial batch all between 12:04pm and 12:08pm. Enterprise Console isn't listing any computers with alerts, so maybe it was just a temporary moment of confusion.
The following KBA has been published to track updates: https://community.sophos.com/kb/en-us/132417
The issues is believed to be resolved. Other than alerts being reported there was no known impact caused by this issue.