This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/KovterLnk-A and Mal/KovterBat-A cannot be removed

Sophos Endpoint Security and Control 10.6 running on Windows 7 Professional x64 detected Mal/KovterLnk-A and Mal/KovterBat-A this morning and moved them to Quarantine.

The available actions say Clean Up then goes to Cleaning Up and instantly the viruses appear in the Quarantine again.

 

When I open the Details that take me to the file location the shortcuts are in a the Windows Startup folder and appear and re-appear while Sophos tries to Clean Up the threat.

It appears as if the virus/malware is re-installing itself as soon as Sophos cleans it up.

 

I've tried to select and Cleanup the files, but it says a Cleanup is already in process.



This thread was automatically locked due to age.
Parents
  • Hi,

    If you know the location and/or file name of the location the files re-appear in, what about running Process Monitor:
    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    ...to understand what process is writing the files to that location.

    It sounds like the "dropper" is not detected if it keeps coming back.  If you can understand the process creating the files, you can then find the file responsible and send them to Sophos Labs.

    Regards,

    Jak

  • Jak,

     

    After another re-start the shield in the system tray now says Sophos is disabled, but ALMON.exe is running in the task manager.


    There are now additional items in the Quarantine that require manual cleanup including an interchk.chk file in Sophos itself.

  • Hello Brent Berarducci.

    please see the Sophos Malware Remediation Toolkit (SMaRT). IMO it's a good walk-through and helps with a systematic approach. If you've contracted this thing as a user with administrative rights you might have to use SBAV.

    Christian   

  • Christian,

    Thank you for this valuable suggestion.

    I am to the point where I need to isolate the computer from the network and the steps tell me to run Sophos Anti-Virus. However, when I download and try to install Sophos Anti-Virus I receive an error message that says it will not install unless I uninstall all other instances of Sophos software first. This doesn't seem intuitive, is this correct?

    Thank you again.

  • Hello Brent Berarducci,

    I download and try to install Sophos Anti-Virus
    which package? The SESC stand-alone? Normally setup logs its actions in your user's %TEMP% directory (the Enterprise installer e.g. Sophos ES setup.log) naming the "unacceptable" product(s), wonder if it's the SVRT. Could you post/show the exact error message? If I understand correctly you have SESC installed but it no longer seems to work?

    Christian

Reply
  • Hello Brent Berarducci,

    I download and try to install Sophos Anti-Virus
    which package? The SESC stand-alone? Normally setup logs its actions in your user's %TEMP% directory (the Enterprise installer e.g. Sophos ES setup.log) naming the "unacceptable" product(s), wonder if it's the SVRT. Could you post/show the exact error message? If I understand correctly you have SESC installed but it no longer seems to work?

    Christian

Children
  •  

     

    Christian,

    This is the message I am receiving

    These are the Sophos installations I have currently.

    When I place my cursor over the Sophos Icon in the System tray this morning it says Sophos Protection Disabled and Sophos Protection Update has Failed. However Sophos opens up and looks normal.

    The Anti Virus Log just keeps repeating that Mal/KovterLnk-A has been removed then follows that it has been detected, same with Mal/KovterBat-A

    The Quarantine continues to show Clean Up, Cleaning Up, then the threats re-appear.

    Thank you very much for your interest and support.

  • Hello Brent Berarducci,

    Sophos Home and Enterprise are different "families" - you can't install one over the other. I don't see the Sophos Remote Management System so this seems to be the stand-alone Enterprise version. 


    Both the Interactive SMaRT and the PDF have many paths, I'm not sure what you have already tried and what not. Apparently you want to update the existing installation - that might or might not work depending on what the malware did and does.
    Did you run the Source Of Infection tool? This should identify the rogue process (or a hijacked process). If the former and you can find the file it runs from then you still have to capture it. Probably not possible from the symptoms you've described. Might be possible in Safe Mode, if not you'd have to try SBAV  or some LiveCD.

    Christian

  • Christian,

     

    I am at step 10. The SDU is running now. It is asking for a Sophos Reference Number and then says it cannot locate the referenced files.

    I don't understand how to run the SOI via the command line.

    Thank you.

  • Christian,

    I am getting messages to contact support, but when I click the support link all it does is take me to this forum.

    I can email the logs, but don't know the email to send them to.

    Thank you.

  • Hello Brent Berarducci,

    you can raise a ticket or send samples on the Support page. Samples can be sent to samples@sophos.com  and Support request to support@sophos.com. If you have not yet opened  a ticket for this incident you don't have a reference number, naturally.

    Scenarion B in the SOI article gives an example for use in your situation (of course you have to use "your" path).

    Christian

  • Christian,

    Thank you for the link. I read the article when I downloaded the tool. It is beyond my technical ability.

    I can't even get it to open in CMD prompt.

    I've started a ticket with Sophos and uploaded the files from the SDU.

    Hopefully they have a remedy for a layperson such as me.

  • Praveen contacted me this morning and we were able to remove the threat.

    1. Download and install Sophos Clean.

    2. Re-start the machine in Safe Mode

    3. Run Sophos Clean and DELETE all detected threats. If you leave it in Quarantine it will be there when you re-start in Normal Mode and the threat will re-install itself. Must DELETE in SAFE MODE

    4. Restart machine in normal mode. Scan with Endpoint Control and Sophos Virus Removal and ensure machine is clean.

    Thank you to forum members for their suggestions and support.

    R,

    Brent