Hi
Recently received this alert on a machine, that isn't overly used. Need to determine if this is false positive, but also it's copying to multuple VSS Shadow Copies each time a VSS is run, is there an way to identify its source.
The device has Intercept X on it and the "malware" is actually being cleaned up after we receive the alerts
Virus/spyware 'Troj/Badsrc-M' has been detected in "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\pagefile.sys". Cleanup failed
Hello Sophos User1483,
as you mention Intercept X you're perhaps talking about Central, not On-Premise. But as far as the scanner is concerned they are identical. Anyway, IMO there's no need to worry, please see my response in this recent thread (note the link to the how to resolve article). For the sake of completeness (although they provide no further insight) the analyses for Troj/Badsrc-M and Mal/Badsrc-M.
Christian.
Thanks - we know this could be a FP but how do we stop it picking up each time a volume shadow copy is restarted ? It's alerting each time this is done
as I said in the linked post the occasional alerts on an endpoint continued for one or two days then subsided, and in a post linked from there Guess it'd be safe to add an exclusion for the shadow copy (like \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\pagefile.sys), can't say if it'd help.
Christian