This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trojan in Shadows Copies - Shadow Copies is disabled!

Hi

I'm pretty much having the same error as below:

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/89629/virus-spyware-troj-badsrc-m/404793#404793

My error is exactly:Manual cleanup required: 'Troj/Badsrc-M' at '\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy26\pagefile.sys'

Problem is on the device no shadow copies are enabled?

I've run DISKSHADOW and listed shadowcopies and it comes back with nothing.

Has anyone had this issue before?



This thread was automatically locked due to age.
Parents
  • Hello DM85,

    no shadow copies are enabled
    you mean no schedule is enabled, but the Volume Shadow Copy service is enabled? Please note that applications (e.g. Window Update) can request shadow copies and destroy them when no longer needed.
    There's a How to resolve ... article that claims the alert is likely genuine. Can't verify the rather cryptic did contain malware at some point of time as I have no recent alert of this kind. Whatever Troj/Badsrc-M is supposed to detect it seems to be some JS in an HTML file, look up the hashes at VirusTotal. While the How to suggests cleanup there's also the Scanning exclusion for volume shadow copies article.

    IMO it's not really an issue, not even an annoyance given its prevalence - not more a handful of endpoints out of 5000+ a year. Sometimes it's just one alert, sometimes there are more alerts over a period of one or two days. 

    Christian   

Reply
  • Hello DM85,

    no shadow copies are enabled
    you mean no schedule is enabled, but the Volume Shadow Copy service is enabled? Please note that applications (e.g. Window Update) can request shadow copies and destroy them when no longer needed.
    There's a How to resolve ... article that claims the alert is likely genuine. Can't verify the rather cryptic did contain malware at some point of time as I have no recent alert of this kind. Whatever Troj/Badsrc-M is supposed to detect it seems to be some JS in an HTML file, look up the hashes at VirusTotal. While the How to suggests cleanup there's also the Scanning exclusion for volume shadow copies article.

    IMO it's not really an issue, not even an annoyance given its prevalence - not more a handful of endpoints out of 5000+ a year. Sometimes it's just one alert, sometimes there are more alerts over a period of one or two days. 

    Christian   

Children
No Data