Security Analyses

Question

Many vendors (including Sophos) stopped publishing detailed information for a majority of the threats - understandably so. Much work and what would you need it for? To second-guess the scanner's results? The beast should have been found in time and blocked anyway so what's the use describing what could have happened if ...?

But in some areas the information is - for my taste - too sparse. Troj/FakeAle-NB has been blocked on a client, SEC is telling me (no more details, i.e. a path to a file, given). FakeAle sounds more like joke but the analysis offers no more insight. We do no have access to most of the clients (such is life at the university). Now the policy says: automatically clean up and otherwise deny access. First question is: why is a particular threat cleanable or why not. Second: if cleanable - why hasn't it been cleaned up (I know, sometimes a full scan is required - but sometimes it's in the analysis and sometimes not). Choosing Cleanup (if available) on Resolve alerts and errors ... most of the time results in timed out. More often than not the person you talk to has not very much knowledge and telling her where to look and what to look for is a feat. And directing them to Remove Trojans is not feasible solution.

Same problem with malware and suspiscious files. Cleaning with SEC is out of the question without more detailed information. Asking to user to send a sample ... see above (see also Send a sample).

Christian

This thread was automatically locked due to age.

paulcjones · Accepted Answer

Hi QC Information in an analysis is a balancing act - they take time to generate, and as you note, may not be relevant to many (most) customers or malware items. Consider that SophosLabs can see hundreds if not thousands of samples a day - many of which may never actually be seen at a customer site - it's hard to know which to dig deeper into.  At any time, you can request more detail about a detection - either by sending us a sample or simply contacting Support and asking for the labs to get the data for you. To answer your specific questions: 1)  Why is a particular threat cleanable or why not. C leanup is typically referring to the activity of removing malicious code from another file, or malicious files from their active locations on your system. For example, many non active Trojans do not have Cleanup options - as there is nothing to clean, they are simply a single file with 100% malicious code in them, they just need deleting. Legacy or older malware may pre-date our Cleanup routines entirely. Cleanup could be relevant if a Trojan was in memory (Cleanup would remove it from memory) or malware had infected a file (we would remove the malicious code). In some (rarer) cases the cleanup routine for an infected client is too complex for a simple cleanup job, and needs a standalone routine or cleanup utility. ( Conficker , for example) 2) If cleanable - why hasn't it been cleaned up ...  If Cleanup has failed, and nothing is reported to Enterprise Console, I would grab the local SAV scan logs to check out what is reported there. You can get to them through the C$ share if you have the admin rights of course, preventing the end user from having to go digging. There could be a variety of reasons why Cleanup has failed - from problems in the cleanup routine itself, to local client issues, or bad/odd infections of the Malware itself. :256