Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 12328 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint failed to protect my computer from malware

JosephBartram

Hi,

After booting up my system yesterday I found that my desktop (Windows 7 home premium x64) was running extremely slowly.  Having checked through the task manager, I found that there were a large number of generic-sounding .exe executables taking up huge amounts of (primarily) system memory, and (secondarily) CPU usage.  We're talking up to 98% of the 8GB of RAM, collectively.  They come and went, but there's about a dozen at any one time, taking from about 100,000 - 5,000,000K.  They included multiple instances of dllhost.exe, conhost.exe, cmd.exe, taskhost.exe, notepad.exe, amongst others.  In short, looks like classic malware.  I wasn't able to open the file locations (right clicking simply failed to open the folder) until I re-started the system in safe mode, whereupon I found the executables largely to be located in the system32 folder.  

Point being, I'd scanned the computer fully only a couple of days ago with Sophos Endpoint, and found nothing.  I set up another scan, which (as usual) looked like it would take several hours, so I left it running overnight.  Apart from failing to scan chrome appdata (returned SAV interface error 0xa0040202), the scan completed and detected nothing.  

I subsequently downloaded maywarebytes and have just finished running it in safe mode with networking.  It detected 12 separate threats, primarily Trojans - image attached.  I've quarantined these, and following a restart the system seems to be running normally, though I haven't tried it outside safe mode yet (CPU at 0%, memory at ~25%, most of which is chrome).

Point is, despite keeping sophos up-to-date and scanning regularly, it completely failed to protect me from some fairly obvious threats.  I exercise extreme caution when downloading content from the internet, so I really doubt this was something I downloaded.  Am I running Sophos incorrectly, and if not, why did this happen, and how can I protect myself better in the future?

Thanks,

Joseph

example of the malware processes (there weren't actually that many at the point I took this capture, more often about 15 all above 100,000K)

Malwarebytes result (scan took only ~30 mins):

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Joseph,

    am I running Sophos incorrectly? - likely not (assuming recommended settings with HIPS enabled). why did this happen? - threats are constantly updated the same way AV detections are. It's not easy to explain (and to understand) why sometimes some fairly obvious threats are missed. it detected 12 separate threats - not necessarily 12 separate, my count would be (at most, one is a PUP/PUA, seems to be an Ask toolbar) 6. Fact is that Sophos didn't detect this particular variant. As with the biological counterparts occasionally a sample is needed to develop efficient protection. Once Labs have received a sample (either through direct submission or upload to e.g. VirusTotal  )  

    Even with paranoid settings (and some gateway/network solution in place) don't expect 100% protection. As an aside: I took the SHA-1 given in the Troj/Bedep-Z analysis and looked it up at VirusTotal. At the time of the analysis Sophos detected it as Mal/Generic-S, obviously the specific detection has been created later. And as you can see some products did not yet detect it then.

    Christian

  • 0 in reply to QC
    Dear Chris,

    Having used many solution in prod environment, I have to say Sophos is the product that have the lowest detection score. We still have two clients using endpoint with SEC and once a year there is a disaster situation and backup restauration... I'm also disappointed on the many time Sophos is unable to clean the threat..
    Other then losing time trying to solve these cases we would like much more reactivity from the BD update team and some deep change on the SEC and endpoint to be much more effective. Some free solution without naming them have a better score... on detection and cleaning process. We really don't get why after so many feedback from users the politic didn't change.
    Hopefully things will change, maybe... or not.
    We do all remember the huge fail from 2012 with the self detection as a virus and the reactivity time it took to sophos to solve this case. That's where many client went missing and I see the last one leaving quietly to other products.
    Hopefully my point of view will shake some tree !!
    Best regards.
  • 0 in reply to HuguesPETITJEAN

    Hello Hugues,

    I (and please Christian if time permits [;)]) am the wrong tree. You're a partner/reseller or ...?

    once a year there is a disaster situation
    Wonder if we've just been lucky or what kind of disasters these are? self detection arguably Shh/Updater wasn't much of a problem on managed endpoints with recommended settings (admittedly it was a pain otherwise). Not too long before another vendor had an FP detection (with subsequent removal of a not unimportant executable) in \system32.

    I was not defending Sophos or comparing vendors - I always want to stress the fact that there isn't and one can't expect 100% protection. There might be no better protection possible (or at least feasible). I'm not saying it doesn't matter which AV to choose but there's no guarantee that you'll never encounter a "something" which your AV fails to detect.

    Christian

Reply
  • 0 in reply to HuguesPETITJEAN

    Hello Hugues,

    I (and please Christian if time permits [;)]) am the wrong tree. You're a partner/reseller or ...?

    once a year there is a disaster situation
    Wonder if we've just been lucky or what kind of disasters these are? self detection arguably Shh/Updater wasn't much of a problem on managed endpoints with recommended settings (admittedly it was a pain otherwise). Not too long before another vendor had an FP detection (with subsequent removal of a not unimportant executable) in \system32.

    I was not defending Sophos or comparing vendors - I always want to stress the fact that there isn't and one can't expect 100% protection. There might be no better protection possible (or at least feasible). I'm not saying it doesn't matter which AV to choose but there's no guarantee that you'll never encounter a "something" which your AV fails to detect.

    Christian

Children
No Data
Unfiltered HTML