This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

'Authorising' viruses

Hello, I am after some help with getting rid of a virus from my computer. My Sophos ant-viral software has detected suspicious behaviour of a virus: HIPS/FileMod-005 on my computer. It only gives me the option to 'authorise' the virus, not to delete it. I do not know much about computers, so I am confused about what 'authorising' a virus means. Could it be potentially harmful for my computer if I click to authorise this virus?

Ever since Sophos detected this virus, my computer keeps randomly coming up with a message saying 'you have performed an illegal instruction' then is shuts down about 5 seconds later. So I am sure it is a harmful virus!

I have no idea what to do!

Any help is much appreciated!

This thread was automatically locked due to age.

0 jak over 14 years ago

Hi,
Firstly you may or may not have a virus: that's a big vague I know but I will try to explain why. As a bit of background, traditionally AV products used just signature based detection. I.e. a malware author would code a virus and eventually the anti-virus companies would get a sample, create detection and everyone who updated would be protected from that virus in the future. So the virus writer was always ahead of the anti-virus companies. The problem then became the sheer number of viruses and general malware being written became to much to keep on top of with this approach alone so other methods were needed to help with both volume and proactive protection.
So the anti-virus companies continued with signature based detection but supplemented it with behaviour detection. As an example, if all viruses create a start-up point for themselves in a certain registry key, it would make sense to monitor that registry key as this might offer some way of generically identifying a large selection of malware or at least flagging it as a significant event. The problem being, that registry key could also be used by genuine software so the security software can bring to the attention of the user that something malicious might be going on but it can't categorically say so without being aware of everything "good". In this case it's up to the user to choose to "Authorise" it or not. If the user is aware of what he is doing, e.g. knowingly installing a piece of software then this is possibly more likely to be legitimate than if he or she was just browsing the web but this is no guarantee.
So Sophos has found something on your machine which exhibits suspicious behaviour but the Sophos Labs haven't classified it as malicious or a virus; either because it's not or they haven't seen a sample of it yet. Looking at the analysis of that rule on the website shows:
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsfilemod005.html
Runtime behavior alerts of this type inform the user that an attempt has been made to install a suspicious-looking system driver. Any attempt at this behavior by an unauthorized program could indicate a malware infection.
So were you installing software which would have installed a driver at the time you got an alert?
If you downloaded a piece of software from a reputable source for example and during the install you go this warning then the chances are it is ok but the bottom line is it's not easy to tell and for that reason, if you're in any doubt I would submit the file being detected to Sophos for analysis.
If you add to the equation that your machine is now randomly shutting down that makes sense to some extent as the rule fired was for installing a driver. If anything is going to cause such behaviour it would be more than likely a driver but whether that driver is malicious or badly written or possibly both I cannot say so a sample is the way to go:
https://secure.sophos.com/support/samples/
I hope this hasn't confused you further and maybe set your mind at rest.
Jak
:3594
Cancel
Vote Up 0 Vote Down

Cancel