Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 3775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Numerous detections of iexplore.exe this morning

chavez243

more than a dozen alerts so far this morning for iexplore.exe being detected as Mal/Generic-S (vague), just curious if anyone else has seen this.  some of the mgmt team are concerned it could be a false positive.

still investigating

:21655


This thread was automatically locked due to age.
  • 0

    We are seeing this on our network too.  Any thoughts?  What is causing this to happen?

    :21657
  • 0

    HI,

    Have you sent a sample in to SophosLabs?

    https://secure.sophos.com/support/samples/

    What version of IE are these machines running?

    Have you got a checksum of the file, MD5 will do?

    Are there any computers running the same version of SAV + IE + the same detection data that aren't picking it up?  If so, what is the checksum of those exe files? Different?

    Regards,

    Jak

    :21659
  • 0

    Same Problems here, seems to only effect iexplore.exe (x86), The 64bit IE runs fine. 

    File "C:\Program Files (x86)\Internet Explorer\iexplore.exe" belongs to virus/spyware 'Mal/Generic-S'

    Also a few related to reg keys,

    Registry value "HKLM\Software\Wow6432Node\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\default" belongs to virus/spyware 'Mal/Generic-S'

    Registry key "HKCR\Wow6432Node\InternetExplorer.Application.1" belongs to virus/spyware 'Mal/Generic-S'.

    Registry key "HKCR\Wow6432Node\InternetExplorer.Application" belongs to virus/spyware 'Mal/Generic-S'.

    Registry key "HKCR\Wow6432Node\CLSID\{0002df01-0000-0000-c000-000000000046}" belongs to virus/spyware 'Mal/Generic-S'.

    Registry key "HKCR\Wow6432Node\CLSID\{d5e8041d-920f-45e9-b8fb-b1deb82c6e5e}" belongs to virus/spyware 'Mal/Generic-S'.

    :21661
  • 0

    We also get the same messages...

    Actually I think these messages are false positives.

    :21667
  • 0

    Hello all,

    according to Comparison of Sophos' Malicious File Detection Technologies Mal/Generic-S signifies a detection by Live Protection. Whatever caused the incorrect detection in the first place - Sophos should already be aware of this (and perhaps the glitch has already been or is about to be corrected) but it is always a good idea to send a sample as Jak has said.

    Christian

    :21669
  • 0

    In the weeked we also had false positive on c:\windows\system32\RUNDLL32.EXE on Wxpsp3, mal/Generic-L, anybody ?

    Marco NICOLA, Sophos customer, Reale Mutua Assicurazioni, Turin, Italy

    :21673
  • 0

    Earlier today (Monday 6th of February) at 11:34 GMT an identity was released which caused Internet Explorer 8 on Windows Vista and later to be mistakenly flagged as malicious. SophosLabs identified the problem and fixed it within 13 minutes (11:47 GMT). 

    Due to the nature of Live Protection some customers could still be experiencing the issue due to DNS caching for some time afterwards. Live Protection results are stored in the DNS cache, meaning the cache either needs to be flushed to remove the data or it will be removed after a period of time when the cache has automatically updated.

    At no point during the incident was protection compromised.

    The issue affected some customers running Endpoint Security and Control version 9.5 and later with Live Protection enabled. If you are experiencing any issues with IE8 please look at article 116799 or contact support.

    We apologize for any inconvenience caused and are investigating how this issue occurred so it can be prevented in future. 

    :21683

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML