Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Analyses

QC

Many vendors (including Sophos) stopped publishing detailed information for a majority of the threats - understandably so. Much work and what would you need it for? To second-guess the scanner's results? The beast should have been found in time and blocked anyway so what's the use describing what could have happened if ...?

But in some areas the information is - for my taste - too sparse. Troj/FakeAle-NB has been blocked on a client, SEC is telling me (no more details, i.e. a path to a file, given). FakeAle sounds more like joke but the analysis offers no more insight. We do no have access to most of the clients (such is life at the university). Now the policy says: automatically clean up  and otherwise deny access. First question is: why is a particular threat cleanable or why not. Second: if cleanable - why hasn't it been cleaned up (I know, sometimes a full scan is required - but sometimes it's in the analysis and sometimes not). Choosing Cleanup (if available) on Resolve alerts and errors ... most of the time results in timed out. More often than not the person you talk to has not very much knowledge and telling her where to look and what to look for is a feat. And directing them to Remove Trojans is not feasible solution.

Same problem with malware and suspiscious files. Cleaning with SEC is out of the question without more detailed information. Asking to user to send a sample ... see above (see also ).

Christian

:249


This thread was automatically locked due to age.
  • 0

    Hi QC

    Information in an analysis is a balancing act - they take time to generate, and as you note, may not be relevant to many (most) customers or malware items. Consider that SophosLabs can see hundreds if not thousands of samples a day - many of which may never actually be seen at a customer site - it's hard to know which to dig deeper into. 

    At any time, you can request more detail about a detection - either by sending us a sample or simply contacting Support and asking for the labs to get the data for you.

    To answer your specific questions:

    1) Why is a particular threat cleanable or why not. Cleanup is typically referring to the activity of removing malicious code from another file, or malicious files from their active locations on your system. For example, many non active Trojans do not have Cleanup options - as there is nothing to clean, they are simply a single file with 100% malicious code in them, they just need deleting. Legacy or older malware may pre-date our Cleanup routines entirely. Cleanup could be relevant if a Trojan was in memory (Cleanup would remove it from memory) or malware had infected a file (we would remove the malicious code). In some (rarer) cases the cleanup routine for an infected client is too complex for a simple cleanup job, and needs a standalone routine or cleanup utility. (Conficker, for example)

    2) If cleanable - why hasn't it been cleaned up ... If Cleanup has failed, and nothing is reported to Enterprise Console, I would grab the local SAV scan logs to check out what is reported there. You can get to them through the C$ share if you have the admin rights of course, preventing the end user from having to go digging. There could be a variety of reasons why Cleanup has failed - from problems in the cleanup routine itself, to local client issues, or bad/odd infections of the Malware itself.

    :256
  • 0

    Hi Paul,

    thanks for your (also nicely formatted) reply. I'm rather contacting support without being sure what I'm talking or asking about (but not in general - sent about a dozen of queries in the last month :smileyhappy:). 

    Just this morning I stumbled over  Troj/PHPMod-C (not cleanable, history gives the filename and action blocked for a local user and none for SYSTEM - whatever SYSTEM wanted to do that hasn't been blocked).  So I follow the instructions for removing Trojans which tells me "You can remove Trojans over a network using Enterprise Console". Article 12452 says:

    What to do 1. Assessing the problem

    Before removing viruses, and other threats, you should determine if they can

    • make changes to the setup of your computers, or documents on them
    • spread internally via shares on your network
    • take administrator rights, or otherwise damage your network.

    First, from Enterprise Console, find out what items are present on a computer.

    1. Right-click the computer name.
    2. Select 'View computer details'.
    3. Scroll down to 'Items detected' (or 'Viruses detected').
      • The 'Type' (or 'Virus name') column lists the names of the items found.
      • The 'Details' (or 'Infected file') column lists where the items are on the computer.
    4. Click the name of the item to read its description on the Sophos website.

    Isn't this where I came from? :smileyvery-happy: Guess this is the point where I should contact support ...

    They just need deleting - would they be listed as cleanable and can this be done using SEC/Cleanup? Oh - by the way, which settings for "Cleanup" does the immediate "Full system scan ..." (from SEC) use?

    If cleanable - why hasn't it been cleaned up ... apart from timeouts I've only encountered "no longer in the quarantine list". As said, we don't have admin rights on most clients and we can't access the logs. Usually the status changes within seconds (except of course for timeout) - either the alert is cleared or the no longer appears.

    Christian

    :268
  • 0
    QC wrote:

    .......... Guess this is the point where I should contact support ...

    They just need deleting - would they be listed as cleanable and can this be done using SEC/Cleanup? Oh - by the way, which settings for "Cleanup" does the immediate "Full system scan ..." (from SEC) use?

    If cleanable - why hasn't it been cleaned up ... apart from timeouts I've only encountered "no longer in the quarantine list". As said, we don't have admin rights on most clients and we can't access the logs. Usually the status changes within seconds (except of course for timeout) - either the alert is cleared or the no longer appears.

    Christian

    Hi Christian,

    For this particular Trojan, you don't need to contact Support, I checked into it for you with SophosLabs - this is a php script trojan. It injects it's own (polymorphic) code into a popular blog application's PHP files. If we removed the infected files, you would lose the php files and break the application. If we tried to remove the code, we could cause damage to legit php script (as we have no way to know where the viral code starts / ends).

    As a result, the only *real* solution is to delete and replace with a known good copy of the infected files. I'd argue that this is a situation where cleanup isn't appropriate for the file, and if we outright deleted it as part of your automatic configuration, you'd be left with no files and no real awareness that we just broke your applications :smileysad:

    No longer in the quarantine list is usually encountered when you have an alert on a file, but when you come to take action, the file is gone. A good example would be a file in your temporary internet files - we block it at time of execution, but by the time you are able to try Cleanup or run a Delete scan, the file has been purged by IE itself. Our Quarantine Manager obviously has no way to know the file is already removed - you can simply clear the alert at this stage (and run a quick scan across the drive to confirm it's clear).

    The immediate "Full System Scan" in Enterprise Console runs with default options - no cleanup, no delete. It is intended to pass over the drive, report problems and let you take care of them as appropriate.

    Hope this helps!

    :284
Unfiltered HTML