On-Premise Endpoint

Sophos Endpoint Software Trojan in Shadows Copies - Shadow Copies is disabled!

On-Premise Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 1 reply
Subscribers 4 subscribers
Views 2810 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trojan in Shadows Copies - Shadow Copies is disabled!

DM85 over 5 years ago

Hi

I'm pretty much having the same error as below:

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/89629/virus-spyware-troj-badsrc-m/404793#404793

My error is exactly:Manual cleanup required: 'Troj/Badsrc-M' at '\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy26\pagefile.sys'

Problem is on the device no shadow copies are enabled?

I've run DISKSHADOW and listed shadowcopies and it comes back with nothing.

Has anyone had this issue before?

This thread was automatically locked due to age.

Parents

0 QC over 5 years ago

Hello DM85,

no shadow copies are enabled
you mean no schedule is enabled, but the Volume Shadow Copy service is enabled? Please note that applications (e.g. Window Update) can request shadow copies and destroy them when no longer needed.
There's a How to resolve ... article that claims the alert is likely genuine. Can't verify the rather cryptic did contain malware at some point of time as I have no recent alert of this kind. Whatever Troj/Badsrc-M is supposed to detect it seems to be some JS in an HTML file, look up the hashes at VirusTotal. While the How to suggests cleanup there's also the Scanning exclusion for volume shadow copies article.

IMO it's not really an issue, not even an annoyance given its prevalence - not more a handful of endpoints out of 5000+ a year. Sometimes it's just one alert, sometimes there are more alerts over a period of one or two days.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 5 years ago

Hello DM85,

no shadow copies are enabled
you mean no schedule is enabled, but the Volume Shadow Copy service is enabled? Please note that applications (e.g. Window Update) can request shadow copies and destroy them when no longer needed.
There's a How to resolve ... article that claims the alert is likely genuine. Can't verify the rather cryptic did contain malware at some point of time as I have no recent alert of this kind. Whatever Troj/Badsrc-M is supposed to detect it seems to be some JS in an HTML file, look up the hashes at VirusTotal. While the How to suggests cleanup there's also the Scanning exclusion for volume shadow copies article.

IMO it's not really an issue, not even an annoyance given its prevalence - not more a handful of endpoints out of 5000+ a year. Sometimes it's just one alert, sometimes there are more alerts over a period of one or two days.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data