This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/TibsPk-A

Yesterday one client started sending alerts about Mal/TibsPk-A. Cleanup setting were Automatically clean up / otherwise deny access only. Computer details showed no file location and alternating Blocked and Cleaned Up with intervals from 1-20 seconds. Using SEC I then changed the policy to Don't automatically clean up / Delete. The only effect was that the actions now were None and Deleted but still were generated every few seconds. So I changed the policy to deny access only and now it's quiet.

For now I have not yet contacted support as I'd like to see the machine's logs and we don't have access to it. I hope I can contact the administrator for this machine tomorrow.

Meanwhile - any similar experiences or ideas?

Christian

:2206


This thread was automatically locked due to age.
Parents
  • Hi,

    I was trying to troubleshoot the particular issue you were seeing above, malware may have another component dropping the file.  In this case we would need to find what that was.  It seems odd that the timings are so quick, so its either a locally dropped file being continually dropped or the cleanup/delete is not accurate - although that is unlikely.

    Regarding the sparce information, do you mean the file location not being listed ? This is being addressed to display multi-component threats in SEC.

    For samples, most of the time there would be no point in getting one for, as you said, a definitive detection.  This would be useful for certain situations where cleanup may need tweaking etc.  In these cases we generally need a fuller picture of what is happening on the machine.  Get logs, and get all components of the particular infection.

    Agree it would be great to get the SAV log though :)

    You can just C$ to the machine though.

    OD

    :2221
Reply
  • Hi,

    I was trying to troubleshoot the particular issue you were seeing above, malware may have another component dropping the file.  In this case we would need to find what that was.  It seems odd that the timings are so quick, so its either a locally dropped file being continually dropped or the cleanup/delete is not accurate - although that is unlikely.

    Regarding the sparce information, do you mean the file location not being listed ? This is being addressed to display multi-component threats in SEC.

    For samples, most of the time there would be no point in getting one for, as you said, a definitive detection.  This would be useful for certain situations where cleanup may need tweaking etc.  In these cases we generally need a fuller picture of what is happening on the machine.  Get logs, and get all components of the particular infection.

    Agree it would be great to get the SAV log though :)

    You can just C$ to the machine though.

    OD

    :2221
Children
No Data