Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4239 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-L, Sus/CFNBehav-A and sdra64.exe

QC

I've seen several Mal/Generic-L detections reported lately. As they are infrequent and are dealt with by Sophos one way or the other I didn't think much about them. Today one has been detected on a co-workers machine right across the hall. Since the quarantine was empty (probably because of scan-on-write) I changed cleaning to "move", obtained the sample and sent it to Sophos. We first suspected something from a website (using Firefox) but as there were more detections (several minutes to more than half an hour apart) and also when Firefox was closed I started a scan (with HIPS scanning enabled). This time something turned up: sdra64.exe in the system32 directory detected (in the rootkit scan phase) as Sus/CFNBehav-A.

I've sent in this one too and am waiting for the results.     

Christian

:2431


This thread was automatically locked due to age.
  • 0

    I totally agree Christian.

    You cannot follow best practices at all times, as that would make it too easy! :smileywink:

    Seriously though, it is difficult as you need to be constantly checking e-mail notifications or using SEC to keep an eye on everything. And then you need to make a choice of authorising or submitting a sample. If it is a sample being sent off that comes back clean, people will grumble about that too (regardless of the turn around).

    However, where an outbreak of sorts has been spotted, its the perfect quick fix. You can prevent further infection in a reasonable time and submit samples to Sophos whilst the majority of people will be unaware of any changes made to their policies.

    I personally am lucky that it causes little extra effort in my role, but we're safe knowing that as long as we have pro-active/zero-day detection we'll be pretty much clear :smileyvery-happy: Though finally, it is always down to personal experience and having been crippled by the Win32/Sohana-BQ we're a little more clued up at how to manage our policies "in the moment" now

    :2548
Unfiltered HTML