Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1958 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/TibsPk-A

QC

Yesterday one client started sending alerts about Mal/TibsPk-A. Cleanup setting were Automatically clean up / otherwise deny access only. Computer details showed no file location and alternating Blocked and Cleaned Up with intervals from 1-20 seconds. Using SEC I then changed the policy to Don't automatically clean up / Delete. The only effect was that the actions now were None and Deleted but still were generated every few seconds. So I changed the policy to deny access only and now it's quiet.

For now I have not yet contacted support as I'd like to see the machine's logs and we don't have access to it. I hope I can contact the administrator for this machine tomorrow.

Meanwhile - any similar experiences or ideas?

Christian

:2206


This thread was automatically locked due to age.
Parents
  • 0

    Hi QC,

    It sounds like either the files is being constantly dropped, so the redetetion is being reported to the console.  Or there is a problem cleaning/deleting the files.  There are certain malware which will allow you to delete the file but put it back straight away.

    Be interesting to see what happens if you manually delete it, does it come stright back ? If so, we need to see what is dropping the file (procmon or procexp - see what has handle to that filename).

    Deny access only - its not re-detecting the file over and over, its the same detection so it is not reporting to the console over and over.

    OD

    :2217
Reply
  • 0

    Hi QC,

    It sounds like either the files is being constantly dropped, so the redetetion is being reported to the console.  Or there is a problem cleaning/deleting the files.  There are certain malware which will allow you to delete the file but put it back straight away.

    Be interesting to see what happens if you manually delete it, does it come stright back ? If so, we need to see what is dropping the file (procmon or procexp - see what has handle to that filename).

    Deny access only - its not re-detecting the file over and over, its the same detection so it is not reporting to the console over and over.

    OD

    :2217
Children
No Data
Unfiltered HTML