Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2345 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authorization of Sus files/behaviour

jon797w

I am trying to Authorize a file that has been flagged as having Sus/Behaviour.

Gone into the AV/HIPS policy  and Authorization Manager part

There are 2 instances of the file concerned, I don't what to authorize both as 1 is from a desktop and 1 is from a server.

My Question is how do I relate the entry back to the correct machine, I assume its via the Checksum figure but I can't work out where to find the correlation between them

SEC 4.0.0.2362

Thanks

Jon

:3607


This thread was automatically locked due to age.
Parents
  • 0
    Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t 
    inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computerid
    where t.threattype=5
    1 = virus
    2 = adware/pua
    4 = hips
    5 = sus

    Hi,

    I always turn to the database for this sort of information.  I would suggest installing a copy of Microsoft SQL Server Management Studio (http://www.microsoft.com/downloads/details.aspx?FamilyID=08e52ac2-1d62-45f6-9a4a-4b76a8564a2b&displaylang=en) on a machine on the network and connect to the Sophos database instance.  

    You could use OSQL.exe command line tool but the output format isn't too great and I tend to look in the database quite a bit for reports.  

    Once in SQL Studio, choose the SOPHOS4 database from the drop down and run the following command against the SOPHOS4 database:

    Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5

    where threattype could be for example:
    1 = Virus

    2 = Adware/PUA

    4 = HIPS

    5 = Sus

    This should help you find what you need and by adjusting the where clause for various things and threattype you should be able to find most data.  I used the view ThreatInstancesAll rather than the 2 tables Threats and ThreatsArchive that make up the view as I don't know if this is an outstanding alert or not for you.

    I hope this helps you.

    Jak

    PS, if you can't install the MS SQL Studio, running this command will do it,  I've assumed you have a SOPHOS named instance and you would run this on the machine where the database resides.

    OSQL -E -S .\sophos -d SOPHOS4 -Q "Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5" -o C:\threatsSus.txt -w 1000

    This will create a file called C:\threatsSus.txt, you can either search for the filename or the checksum.

    :3635
Reply
  • 0
    Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t 
    inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computerid
    where t.threattype=5
    1 = virus
    2 = adware/pua
    4 = hips
    5 = sus

    Hi,

    I always turn to the database for this sort of information.  I would suggest installing a copy of Microsoft SQL Server Management Studio (http://www.microsoft.com/downloads/details.aspx?FamilyID=08e52ac2-1d62-45f6-9a4a-4b76a8564a2b&displaylang=en) on a machine on the network and connect to the Sophos database instance.  

    You could use OSQL.exe command line tool but the output format isn't too great and I tend to look in the database quite a bit for reports.  

    Once in SQL Studio, choose the SOPHOS4 database from the drop down and run the following command against the SOPHOS4 database:

    Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5

    where threattype could be for example:
    1 = Virus

    2 = Adware/PUA

    4 = HIPS

    5 = Sus

    This should help you find what you need and by adjusting the where clause for various things and threattype you should be able to find most data.  I used the view ThreatInstancesAll rather than the 2 tables Threats and ThreatsArchive that make up the view as I don't know if this is an outstanding alert or not for you.

    I hope this helps you.

    Jak

    PS, if you can't install the MS SQL Studio, running this command will do it,  I've assumed you have a SOPHOS named instance and you would run this on the machine where the database resides.

    OSQL -E -S .\sophos -d SOPHOS4 -Q "Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5" -o C:\threatsSus.txt -w 1000

    This will create a file called C:\threatsSus.txt, you can either search for the filename or the checksum.

    :3635
Children
No Data
Unfiltered HTML