Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1957 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/TibsPk-A

QC

Yesterday one client started sending alerts about Mal/TibsPk-A. Cleanup setting were Automatically clean up / otherwise deny access only. Computer details showed no file location and alternating Blocked and Cleaned Up with intervals from 1-20 seconds. Using SEC I then changed the policy to Don't automatically clean up / Delete. The only effect was that the actions now were None and Deleted but still were generated every few seconds. So I changed the policy to deny access only and now it's quiet.

For now I have not yet contacted support as I'd like to see the machine's logs and we don't have access to it. I hope I can contact the administrator for this machine tomorrow.

Meanwhile - any similar experiences or ideas?

Christian

:2206


This thread was automatically locked due to age.
Parents
  • 0

    Hello OD

    Be interesting to see what happens if you manually delete it

    It's coming back when it's deleted using SEC, that much is sure. Now I and others have complaimentioned elsewhere that the information sent to SEC is somewhat sparse. And if you have no (administrative) rights on the machine (which is not as uncommon as "Sophos" seems to think) that's it then. We don't have a tool for remote support and it's often also a problem to find someone with administrative rights with whom you could conduct a remote session. It'd be a great help if SEC could request/pull the SAV.txt (and a sample - as "definite" detections don't trigger Live Protection AFAIK).

    Christian

    :2220
Reply
  • 0

    Hello OD

    Be interesting to see what happens if you manually delete it

    It's coming back when it's deleted using SEC, that much is sure. Now I and others have complaimentioned elsewhere that the information sent to SEC is somewhat sparse. And if you have no (administrative) rights on the machine (which is not as uncommon as "Sophos" seems to think) that's it then. We don't have a tool for remote support and it's often also a problem to find someone with administrative rights with whom you could conduct a remote session. It'd be a great help if SEC could request/pull the SAV.txt (and a sample - as "definite" detections don't trigger Live Protection AFAIK).

    Christian

    :2220
Children
No Data
Unfiltered HTML