Troj/Badsrc-M' has been detected in Pagefile.sys


Recently received this alert on a machine, that isn't overly used. Need to determine if this is false positive, but also it's copying to multuple VSS Shadow Copies each time a VSS is run, is there an way to identify its source.

The device has Intercept X on it and the "malware" is actually being cleaned up after we receive the alerts

Virus/spyware 'Troj/Badsrc-M' has been detected in "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\pagefile.sys". Cleanup failed

Parents Reply
  • Hello Sophos User1483,

    as I said in the linked post the occasional alerts on an endpoint continued for one or two days then subsided, and in a post linked from there Guess it'd be safe to add an exclusion for the shadow copy (like \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\pagefile.sys), can't say if it'd help.


No Data