Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 2652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not cleanable viruses...

Craig_IT

Hi,

Tried finding some articles on the matter to no avail...every now and then I get a virus notification for an end point PC that is classed "not cleanable". I look it up on the Sophos Website to see if there is any info on it, usually not so I try to submit a sample. The log lists the file location, usually in the temp internet files but whenever I try to locate the file I can never get to the bottom of the file path as it simply isn't there and there is nothing in the end point PC's quarantine.

So just wondering what the go is here, how can I submit samples of uncleanable viruses when I can never obtain a copy of the files?

What is the general process everyone else uses when confronted with the same situation?

Thanks,


Craig

:6529


This thread was automatically locked due to age.
  • 0

    Hello Craig,

    most of the time I just acknowledge them. If it's not in the quarantine it is either gone (Sophos will not interfere if a file is simply deleted) or it didn't make it to disk at all (in case of scan on write). It might be that it is not cleanable or cleanup might have failed because it "disappeared" too soon.
    If you want to collect samples you have to use Deny access and move ... (but you have to decide on it in advance of course because it might no longer be there if you scan for it). Usually I set up a writable share on a machine used especially for this purpose and exclude the folder from scanning (otherwise it might  "inadvertently" get scanned). It'd be nice if Sophos would (zip and) password protect it when it moves the file - for now it just gives it the extension .000 to prevent it from being run.   

    Christian

    :6547
  • 0

    Hi Christian,

    Thanks for the advice. I thought I had already set that up but upon inspection it was not so.

    I have now set my Antivirus and HIPS scripts to deny and move to a share on my antivirus server for easy administrating of un-cleanable viruses and set my server script to not scan that directory as suggested. This will not compromise my system in anyway will it? In the process of moving the files to this share, will Sophos still rename their file extensions?

    Thanks,

    Craig

    :6659
  • 0

    Hello Craig,

    will Sophos still rename their file extensions

    yes. Of course a writable excluded share will pose an additional risk - "something" (other than Sophos) could write a malicious executable to it and could instruct the host to run it (therefore I have the share on a workstation) but - someone should correct me if I'm wrong - this is very unlikely and anyway would have to "restrict" itself to this folder to remain undetected.

    Christian

    :6669
Unfiltered HTML