Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 8318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suspicious behaviour in \\.\globalroot

humungo6

I've just noticed that SEC is reporting suspicious behaviour of a file on one of our servers, but it is in \\.\globalroot...

HIPS/RegMod-002 is the reported behaviour for file lmie.tmp\lmi_rescue.exe, which I am fairly certain will be something to do with LogMeIn, which is installed on certain workstations and we will have used with of third parties dialling in remotely. Using the Sophos knowledgebase, as expected, the regmod-002 description is vague at best, due to the nature of the alert.

Now, I'm not too bothered on this one as I think its safe and it has been blocked as it should've been, but how on earth can I obtain a copy of the file for sample submission, even if only for future reference if I see anything similar again?!

I have tried to "Clean up detected items..." but nothing shows up. All that is left for me to do is "Acknowledge alerts and errors...", so I assume that the file isn't there anymore.

Any thoughts would be appreciated.

:2596


This thread was automatically locked due to age.
Parents
  • 0

    Christian,

    Thanks for the reply.

    The computer details window is exactly where I discovered the filepath initially. Thanks for the advice on authorisation, but at this moment, its not what I am aiming to do, especially as it is on a server. My concern is that the file - to my knowledge - was not run by either myself or the Network Manager, so would like to get the file sample submitted to Sophos.

    So, in short, the question I am asking, is... Where can I obtain these files?

    Thanks again,

    :2600
Reply
  • 0

    Christian,

    Thanks for the reply.

    The computer details window is exactly where I discovered the filepath initially. Thanks for the advice on authorisation, but at this moment, its not what I am aiming to do, especially as it is on a server. My concern is that the file - to my knowledge - was not run by either myself or the Network Manager, so would like to get the file sample submitted to Sophos.

    So, in short, the question I am asking, is... Where can I obtain these files?

    Thanks again,

    :2600
Children
No Data
Unfiltered HTML