Mal/TibsPk-A

It's probably located either in in the SytemRestore or deeply nested in the RecycleBin. Due to (messed up?) permissions on the client it could be that Sophos can't delete the file. Sometimesin order to get the malware removed the machine needs a reboot or 2 and in between the reboot another full scan with "If Cleanup fails then Delete" enabled.

In order to get more details about this particluar computer I would also enable search for Suspicious Files (and block/move/delete them) and also enable Suspicious Behaviour and uncheck Alert Only.

Hi QC,

It sounds like either the files is being constantly dropped, so the redetetion is being reported to the console.  Or there is a problem cleaning/deleting the files.  There are certain malware which will allow you to delete the file but put it back straight away.

Be interesting to see what happens if you manually delete it, does it come stright back ? If so, we need to see what is dropping the file (procmon or procexp - see what has handle to that filename).

Deny access only - its not re-detecting the file over and over, its the same detection so it is not reporting to the console over and over.

OD

Hello OD

Be interesting to see what happens if you manually delete it

It's coming back when it's deleted using SEC, that much is sure. Now I and others have complaimentioned elsewhere that the information sent to SEC is somewhat sparse. And if you have no (administrative) rights on the machine (which is not as uncommon as "Sophos" seems to think) that's it then. We don't have a tool for remote support and it's often also a problem to find someone with administrative rights with whom you could conduct a remote session. It'd be a great help if SEC could request/pull the SAV.txt (and a sample - as "definite" detections don't trigger Live Protection AFAIK).

Christian

Hi,

I was trying to troubleshoot the particular issue you were seeing above, malware may have another component dropping the file.  In this case we would need to find what that was.  It seems odd that the timings are so quick, so its either a locally dropped file being continually dropped or the cleanup/delete is not accurate - although that is unlikely.

Regarding the sparce information, do you mean the file location not being listed ? This is being addressed to display multi-component threats in SEC.

For samples, most of the time there would be no point in getting one for, as you said, a definitive detection.  This would be useful for certain situations where cleanup may need tweaking etc.  In these cases we generally need a fuller picture of what is happening on the machine.  Get logs, and get all components of the particular infection.

Agree it would be great to get the SAV log though :)

You can just C$ to the machine though.

OD

Thanks for your answers (which are helpful even though I can't right now do what you suggested).

You can just C$ to the machine though

I would if I could :smileywink: - that's the point: no administrative rights, no access, not knowing what's going on. 

In these cases we generally need a fuller picture

Yup. That's the next problem. Yet another product to update but - how about installing SDU together with ESDP? And the option to start it from SEC. There's still the question where it should write the log to, but I think this could be solved. Ideally I too would like to know what's in the sdulog (that is - what's on the machine) ...

Christian