Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4245 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-L, Sus/CFNBehav-A and sdra64.exe

QC

I've seen several Mal/Generic-L detections reported lately. As they are infrequent and are dealt with by Sophos one way or the other I didn't think much about them. Today one has been detected on a co-workers machine right across the hall. Since the quarantine was empty (probably because of scan-on-write) I changed cleaning to "move", obtained the sample and sent it to Sophos. We first suspected something from a website (using Firefox) but as there were more detections (several minutes to more than half an hour apart) and also when Firefox was closed I started a scan (with HIPS scanning enabled). This time something turned up: sdra64.exe in the system32 directory detected (in the rootkit scan phase) as Sus/CFNBehav-A.

I've sent in this one too and am waiting for the results.     

Christian

:2431


This thread was automatically locked due to age.
Parents
  • 0

    The major problem with false positives is that they might occur at undue hours. Some (more or less) application no longer works at a time when no one's around to look into it and authorize it if needed. And since whitelisting may not be feasible in all cases you have to maintain the list of authorized applications. Using automated updates can complicate matters. Therefore it's understandable that one uses alert only for runtime and is reluctant to follow the best practices.

    Once you've encountered even a minor outbreak and seen the difference HIPS can make, you start to think differently about it. But it is more effort and also requires communication and cooperation among the IT groups.

    Christian

    :2545
Reply
  • 0

    The major problem with false positives is that they might occur at undue hours. Some (more or less) application no longer works at a time when no one's around to look into it and authorize it if needed. And since whitelisting may not be feasible in all cases you have to maintain the list of authorized applications. Using automated updates can complicate matters. Therefore it's understandable that one uses alert only for runtime and is reluctant to follow the best practices.

    Once you've encountered even a minor outbreak and seen the difference HIPS can make, you start to think differently about it. But it is more effort and also requires communication and cooperation among the IT groups.

    Christian

    :2545
Children
No Data
Unfiltered HTML