Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4238 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-L, Sus/CFNBehav-A and sdra64.exe

QC

I've seen several Mal/Generic-L detections reported lately. As they are infrequent and are dealt with by Sophos one way or the other I didn't think much about them. Today one has been detected on a co-workers machine right across the hall. Since the quarantine was empty (probably because of scan-on-write) I changed cleaning to "move", obtained the sample and sent it to Sophos. We first suspected something from a website (using Firefox) but as there were more detections (several minutes to more than half an hour apart) and also when Firefox was closed I started a scan (with HIPS scanning enabled). This time something turned up: sdra64.exe in the system32 directory detected (in the rootkit scan phase) as Sus/CFNBehav-A.

I've sent in this one too and am waiting for the results.     

Christian

:2431


This thread was automatically locked due to age.
Parents
  • 0

    You're right, suspicious files we as customers experience in our 'real-world' environments should always be send to Sophos. I did that dozens of times already and always with exceptional fast response times (usually within hours and not longer than a day) when it comes to creating new IDEs. But again it would be really nice to be able to send them out of the console instead of collecting it manually, packing and then send it per mail or webinterface.

    And you're right too when it comes to finding out how the malware was executed on the machine: "I didn't do anything, i was just browsing the web" is what i always hear. Which makes sense in certain types of malware like drive-by FakeAV using exploitation packs...

    :2512
Reply
  • 0

    You're right, suspicious files we as customers experience in our 'real-world' environments should always be send to Sophos. I did that dozens of times already and always with exceptional fast response times (usually within hours and not longer than a day) when it comes to creating new IDEs. But again it would be really nice to be able to send them out of the console instead of collecting it manually, packing and then send it per mail or webinterface.

    And you're right too when it comes to finding out how the malware was executed on the machine: "I didn't do anything, i was just browsing the web" is what i always hear. Which makes sense in certain types of malware like drive-by FakeAV using exploitation packs...

    :2512
Children
No Data
Unfiltered HTML