Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1958 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/TibsPk-A

QC

Yesterday one client started sending alerts about Mal/TibsPk-A. Cleanup setting were Automatically clean up / otherwise deny access only. Computer details showed no file location and alternating Blocked and Cleaned Up with intervals from 1-20 seconds. Using SEC I then changed the policy to Don't automatically clean up / Delete. The only effect was that the actions now were None and Deleted but still were generated every few seconds. So I changed the policy to deny access only and now it's quiet.

For now I have not yet contacted support as I'd like to see the machine's logs and we don't have access to it. I hope I can contact the administrator for this machine tomorrow.

Meanwhile - any similar experiences or ideas?

Christian

:2206


This thread was automatically locked due to age.
Parents
  • 0

    It's probably located either in in the SytemRestore or deeply nested in the RecycleBin. Due to (messed up?) permissions on the client it could be that Sophos can't delete the file. Sometimesin order to get the malware removed the machine needs a reboot or 2 and in between the reboot another full scan with "If Cleanup fails then Delete" enabled.

    In order to get more details about this particluar computer I would also enable search for Suspicious Files (and block/move/delete them) and also enable Suspicious Behaviour and uncheck Alert Only.

    :2212
Reply
  • 0

    It's probably located either in in the SytemRestore or deeply nested in the RecycleBin. Due to (messed up?) permissions on the client it could be that Sophos can't delete the file. Sometimesin order to get the malware removed the machine needs a reboot or 2 and in between the reboot another full scan with "If Cleanup fails then Delete" enabled.

    In order to get more details about this particluar computer I would also enable search for Suspicious Files (and block/move/delete them) and also enable Suspicious Behaviour and uncheck Alert Only.

    :2212
Children
No Data
Unfiltered HTML