This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Analyses

Many vendors (including Sophos) stopped publishing detailed information for a majority of the threats - understandably so. Much work and what would you need it for? To second-guess the scanner's results? The beast should have been found in time and blocked anyway so what's the use describing what could have happened if ...?

But in some areas the information is - for my taste - too sparse. Troj/FakeAle-NB has been blocked on a client, SEC is telling me (no more details, i.e. a path to a file, given). FakeAle sounds more like joke but the analysis offers no more insight. We do no have access to most of the clients (such is life at the university). Now the policy says: automatically clean up  and otherwise deny access. First question is: why is a particular threat cleanable or why not. Second: if cleanable - why hasn't it been cleaned up (I know, sometimes a full scan is required - but sometimes it's in the analysis and sometimes not). Choosing Cleanup (if available) on Resolve alerts and errors ... most of the time results in timed out. More often than not the person you talk to has not very much knowledge and telling her where to look and what to look for is a feat. And directing them to Remove Trojans is not feasible solution.

Same problem with malware and suspiscious files. Cleaning with SEC is out of the question without more detailed information. Asking to user to send a sample ... see above (see also ).

Christian

:249


This thread was automatically locked due to age.
Parents
  • Hi Paul,

    thanks for your (also nicely formatted) reply. I'm rather contacting support without being sure what I'm talking or asking about (but not in general - sent about a dozen of queries in the last month :smileyhappy:). 

    Just this morning I stumbled over  Troj/PHPMod-C (not cleanable, history gives the filename and action blocked for a local user and none for SYSTEM - whatever SYSTEM wanted to do that hasn't been blocked).  So I follow the instructions for removing Trojans which tells me "You can remove Trojans over a network using Enterprise Console". Article 12452 says:


    What to do 1. Assessing the problem

    Before removing viruses, and other threats, you should determine if they can

    • make changes to the setup of your computers, or documents on them
    • spread internally via shares on your network
    • take administrator rights, or otherwise damage your network.

    First, from Enterprise Console, find out what items are present on a computer.

    1. Right-click the computer name.
    2. Select 'View computer details'.
    3. Scroll down to 'Items detected' (or 'Viruses detected').
      • The 'Type' (or 'Virus name') column lists the names of the items found.
      • The 'Details' (or 'Infected file') column lists where the items are on the computer.
    4. Click the name of the item to read its description on the Sophos website.

    Isn't this where I came from? :smileyvery-happy: Guess this is the point where I should contact support ...

    They just need deleting - would they be listed as cleanable and can this be done using SEC/Cleanup? Oh - by the way, which settings for "Cleanup" does the immediate "Full system scan ..." (from SEC) use?

    If cleanable - why hasn't it been cleaned up ... apart from timeouts I've only encountered "no longer in the quarantine list". As said, we don't have admin rights on most clients and we can't access the logs. Usually the status changes within seconds (except of course for timeout) - either the alert is cleared or the no longer appears.

    Christian

    :268
Reply
  • Hi Paul,

    thanks for your (also nicely formatted) reply. I'm rather contacting support without being sure what I'm talking or asking about (but not in general - sent about a dozen of queries in the last month :smileyhappy:). 

    Just this morning I stumbled over  Troj/PHPMod-C (not cleanable, history gives the filename and action blocked for a local user and none for SYSTEM - whatever SYSTEM wanted to do that hasn't been blocked).  So I follow the instructions for removing Trojans which tells me "You can remove Trojans over a network using Enterprise Console". Article 12452 says:


    What to do 1. Assessing the problem

    Before removing viruses, and other threats, you should determine if they can

    • make changes to the setup of your computers, or documents on them
    • spread internally via shares on your network
    • take administrator rights, or otherwise damage your network.

    First, from Enterprise Console, find out what items are present on a computer.

    1. Right-click the computer name.
    2. Select 'View computer details'.
    3. Scroll down to 'Items detected' (or 'Viruses detected').
      • The 'Type' (or 'Virus name') column lists the names of the items found.
      • The 'Details' (or 'Infected file') column lists where the items are on the computer.
    4. Click the name of the item to read its description on the Sophos website.

    Isn't this where I came from? :smileyvery-happy: Guess this is the point where I should contact support ...

    They just need deleting - would they be listed as cleanable and can this be done using SEC/Cleanup? Oh - by the way, which settings for "Cleanup" does the immediate "Full system scan ..." (from SEC) use?

    If cleanable - why hasn't it been cleaned up ... apart from timeouts I've only encountered "no longer in the quarantine list". As said, we don't have admin rights on most clients and we can't access the logs. Usually the status changes within seconds (except of course for timeout) - either the alert is cleared or the no longer appears.

    Christian

    :268
Children
No Data