Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 7982 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I need to allow troj/pdfex-ho detection to pass on-access scanning without action on part of the Sophos client. How do I do this?

JimKalupa

We have a "cloud" company that creates partially-filled out state forms, on demand,  for our users to complete.  The company reports no issues with their files but our Sophos clients indicate the files have Troj/pdfex-ho in them.  Classic he said - she said stuff here.  i just need to get my people working.  The exploit targets software versions we no longer have. How do I suppress the Sophos detection on this exploit.  Filenames are dynamically created PDFs and I don't want to let all PDF files pass unchecked.  I simply need to let the Troj/PDFex-ho files pass.  Thoughts?

Cheers!

-JK



This thread was automatically locked due to age.
Parents
  • 0

    Hello JK,

    from the analysis for Troj/PDFEx-HO I don't think (but don't know - I'm not Sophos and even less Labs) that it triggers just on the presence of /Launch, i.e. that the files could be used for malicious purposes. You can't authorize a Virus/Spyware detection. I'd submit a sample of one or more of these files - detections are amended if needed and adequate. Otherwise there might be some dispensable component in the dynamically created files.

    Christian 

  • 0 in reply to QC

    Hi Christian.  Thanks for taking a swing at this!  Looks like I might be stuck.  I did submit some test files to Sophos and received a nice automated note back that I had sent a known exploit.  Trouble is that Sophos is the only malware scanner that sees it.

    Thanks again!

    -JK

  • 0 in reply to JimKalupa

    Hello JK,

    the responses (normally two, one confirming the submission and one with the results) have a case number and somewhere there's a text telling you that you should reply if ....

    Admittedly it's not always easy to have such questions escalated - you'd have to insist. As you can'texcludeallPDF...

    Christian

  • 0 in reply to QC

    rats ... it ate the blanks on my old iPad ... :)

  • 0 in reply to QC

    I think that's a sound direction.  I'll resubmit some test files and bark a bit more.

    Thanks!

    -JK

Reply Children
No Data
Unfiltered HTML