Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow user to scan and clean threats from USB stick

dluneau

A user needs to scan and clean up threats found on USB sticks that belong to students.  Adding the user to the SophosPowerUsers local group does not seem to work nor does adding the user to SophosAdministrators group.  When I say doesn't work, the perform action button is greyed out when box is checked next to threat that needs attention.

USB stick is inserted, Sophos detects threat Mal/Conficker-A

E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

TIA

:51710


This thread was automatically locked due to age.
  • 0

    Hello dluneau,

    the supposed issue with QM (and user rights) first:

    the perform action button is greyed out when box is checked

    which actions are listed in the Available actions column? If there are none then Perform action won't become active. Note that the user must close/reopen the GUI for the group membership to become effective. The Current user rights can be checked by clicking the View product information link on the left.

    Or is the issue specifically with the Mal/Conficker-A detection?

    USB stick is inserted, Sophos detects threat Mal/Conficker-A

    Usually the Conficker-infected USB sticks contain the worm (detected as Mal/Conficker-A) and an autorun.inf to start it automatically. Depending on the autorun settings and how the drive is accessed first the autorun.inf will be detected as Mal/ConfInf-A and subsequently the worm in <drive:>\RECYCLER\. If the stick is writable the threats are dealt with according to the Cleanup settings - Automatic cleanup normally results in both items being cleaned/removed (no action by the user required) after some time (10+ seconds).

    Thus the first question is, what does the AV policy specify. Second, why are these sticks scanned/cleaned, i.e. how and where - on which computer - has the threat been detected?

    While to a sufficiently protected computer known detected items don't pose a genuine risk it's advisable to use a dedicated sheep-dip, perhaps with sufficiently "aggressive" settings to deal with the items mostly automatically.

    Christian

    :51716
  • 0

    Christian,

    Thanks for replying to my post.  Some answers to your questions.

    which actions are listed in the Available actions column? Attachment added.

    If I add user to SophosPowerUser group, I am able to perform action on two Adware or PUA in screenshot.

    AV on-access scan policy is:

    Automatically clean up items that contain a virus/spyware

    Deny access only

    Suspicious files: Deny access only

    :51722
  • 0

    Hello dluneau,

    thanks for the screenshot. Adware and PUAs are a special case and never cleaned up during on-access scan. The actions column clearly states insufficient rights as reason for no actions available.

    For the Mal/Generic-L detection the reason is incomplete cleanup and the suggested action manual removal. As the name implies it's a generic detection, therefore cleanup is rather cautious (and doesn't offer deletion as last resort - note that Delete as available action and manual removal is not quite the same). For generic detections (and if suggested in the analysis) sending in a sample is a good idea. 

    As to the Mal/Conficker-A perhaps the AV log (SAV.txt) has a little bit more information why the item hasn't been cleaned up. As it is obviously unwanted you try to remove it by simply running a (scheduled) scan with Delete as alternate action.

    HTH
    Christian

    :51752
Unfiltered HTML