I've just noticed that SEC is reporting suspicious behaviour of a file on one of our servers, but it is in \\.\globalroot...
HIPS/RegMod-002 is the reported behaviour for file lmie.tmp\lmi_rescue.exe, which I am fairly certain will be something to do with LogMeIn, which is installed on certain workstations and we will have used with of third parties dialling in remotely. Using the Sophos knowledgebase, as expected, the regmod-002 description is vague at best, due to the nature of the alert.
Now, I'm not too bothered on this one as I think its safe and it has been blocked as it should've been, but how on earth can I obtain a copy of the file for sample submission, even if only for future reference if I see anything similar again?!
I have tried to "Clean up detected items..." but nothing shows up. All that is left for me to do is "Acknowledge alerts and errors...", so I assume that the file isn't there anymore.
Any thoughts would be appreciated.
This thread was automatically locked due to age.
