Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 13229 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with quarantined files

JosephBartram
I've been having a couple of issues with Sophos endpoint and control recently.  
Firstly, I've been getting incredibly frequent (every few minutes) notification popups with the following message:
"High risk website blocked
Access has been blocked to "x" as "y" has been found at this website"
There doesn't seem to be any relationship to what I'm browsing on (the address "y" never has anything to do with the web pages I'm on), and nothing noticeably changes on my web browser either (it doesn't block me opening any pages).  It even happens when I'm not browsing the web!  Why is this happening?
Secondly, Sophos recently isolated what it detected as a virus threat.  I got the following message:
"Threat has been detected by sophos
Virus/spyware' Mal/Generic-S has been detected and moved to quarantine"
Having opened the panel, it is listed as :
"No Actions (cleanup incomplete, manual removal required)"
However, having looked up the file in question (FntCache.dll), it seems to be important for windows functioning.  Can I safely delete it manually or not? 
Thanks,
Joseph


This thread was automatically locked due to age.
  • 0

    Hello Joseph,

    Mal/Generic-S - please submit a sample for Mal/Generic-S detections, especially if system files are flagged.

    High risk website blocked popup - the popup is usually for elements of a page where it's not possible to display the substitute page/frame. when I'm not browsing the web - the browser is not open at all or is it idling? If the latter, it could be a script (e.g. "serving" ads) on one of the pages displayed or a rogue add-on.

    Christian

  • 0 in reply to QC
    Hi Christian - I've tried submitting a sample (following the instructions given) - however, whenever I try to upload the file (now in .000 format) I receive a message saying I don't have permission to do so - I am the administrator (and only user) on the system, and having checked through the file properties I should have permission to use it. A bit baffled...

    Re: website popups - when it's idling, I think. Can you clarify - is this something I should worry about, or can I ignore it?

    Thanks,
    J
  • 0 in reply to JosephBartram

    Hello Joseph,

    so it has been moved to the INFECTED folder (not ideal if it's important for windows functioning)? Has it been moved from the \Windows\system32\ folder or some other location? If the latter the detection is likely correct. I don't have permission - did you get another Sophos alert (this time for the .000 file in the INFECTED folder)? If so it might be necessary to (temporarily) exclude it (or *.000 files) from scanning. I don't think it is locked if it could be moved.

    website popups
    I've seen such alerts on legitimate (and in principle clean) sites caused by ads or remote (third-party) content. If you constantly get alerts (e.g. when this Community is your only open page) then there's probably "something" on your system. If it's only certain sites and only as long as you stay on them there's likely no immediate danger but you should nevertheless be careful.

    Christian 

  • 0 in reply to QC
    Hi Christian,
    It was moved from program data(C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}). To clarify, I only tried uploading the file after Sophos moved it to the quarantine folder, as per the instructions in the knowledge base article. As such, I've only tried uploading the .000 file. So, yes, I got a Sophos alert when trying to upload the .000 file. How can I temporarily exclude it from scanning in order to upload it?

    Thanks once again for you patience!
    J
  • 0 in reply to JosephBartram

    Hello Joseph,

    from program data
    ah, this is not the place where a Windows component should reside, makes it pretty certain it's malicious. BTW - you shouldn't log in for everyday work with an admin account, too easy for a threat to take root. Do you still get the Blocked notifications?

    Now as to the upload: Open the Sophos GUI, Configure -> Anti-Virus -> On-access scanning -> in the pop up window tab Exclusions -> Add. As Item type select File, enter either the full name FntCache.dll.000 or *.000 as Item name, confirm with Ok.. This should enable you to upload the file.

    Christian

  • 0 in reply to QC
    Thanks Christian, I've now been able to upload it. Hopefully I'll get a response soon.
Unfiltered HTML