On-Premise Endpoint

Sophos Endpoint Software Sophos Anti-Virus flagging ZoneAlarm file as suspicious

On-Premise Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 4 replies
Subscribers 1 subscriber
Views 3706 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Virus flagging ZoneAlarm file as suspicious

carina over 14 years ago

Sophos Anti-Virus 7.6.16 (with latest updates) has sent a file to quarantine which apparently belongs to ZoneAlarm.

The file in question is C:\Program Files\Checkpoint\ZAForceField\Plugins\ISWHRSRV.dll.

Sophos identifies it as suspicious, of type Sus/VB-AM.

I can find no reference to either ISWHRSRV.dll or Sus/VB-AM on either the Sophos or ZoneAlarm websites.

Does anybody know if this is really a suspicious file or is it a false trip from Sophos ?

This thread was automatically locked due to age.

Parents

0 QC over 14 years ago
Hello carina,

can't find Sus/VB-AM but Sus/VB-AN - but it probably doesn't make much difference. The reply to your post on the ZoneAlarm forums says it's legitimate.

If you read the Action tab for the Sus/VB-Ax items you'll find the following paragraph:

To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations. For more information, please read the knowledgebase article about deciding whether to allow or block a file.

But even if you did use Alert only mode at first a file may later cause an alert. Either because it has been updated or because detection data has. It's therefore advisable to configure Cleanup for suspicious files as Deny access only.

Usually I send in a sample in addition to authorizing it when

a) I think it is part of an application which is widely-used (except for one-time - i.e. not part of auto-update - installers and uninstallers)

b) the alert was caused by changed definitions (i.e. the file has been around for some time without Sophos complaining but has been detected after a detection data update)

Christian
:1467
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 14 years ago
Hello carina,

can't find Sus/VB-AM but Sus/VB-AN - but it probably doesn't make much difference. The reply to your post on the ZoneAlarm forums says it's legitimate.

If you read the Action tab for the Sus/VB-Ax items you'll find the following paragraph:

To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations. For more information, please read the knowledgebase article about deciding whether to allow or block a file.

But even if you did use Alert only mode at first a file may later cause an alert. Either because it has been updated or because detection data has. It's therefore advisable to configure Cleanup for suspicious files as Deny access only.

Usually I send in a sample in addition to authorizing it when

a) I think it is part of an application which is widely-used (except for one-time - i.e. not part of auto-update - installers and uninstallers)

b) the alert was caused by changed definitions (i.e. the file has been around for some time without Sophos complaining but has been detected after a detection data update)

Christian
:1467
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data