Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4796 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus/spyware GFP/Emds-A detected - not known on Sophos site

Betsy Pepels

I would like to have advise on this strange issue.

When I started my laptop, Sophos reported 78 (later 71) new Virus/spyware threats, all with the name GFP/Emds-A. See screenshot below.
I searched for this threat on the Sophos site, finding out that it is not known:  search results GFP/Emds-A  I manually updated the virus definitions: still 71 GFP/Emds-A threats. I restarted my laptop: still 71 GFP/Emds-A threats.

Next I ran a complete scan as administrator (also searching for rootkits etc). This scan however reported no threat at all.  I copied one of the 71 files to another folder, renamed it (just to be sure) and scanned it with right-click. Result: no threat found. 

The offending files typically haven't been changed in the last few months, and are typically part of applications considered safe, like Steam, Skype and the Java JDK.
There are no actions possible on this threats, even as administrator. The message is: insufficient rights, please contact your administrator.  

I'm wondering whether this is just a harmless bug, or (worse) whether my Sophos itself has been hacked. Any suggestions? 

 



This thread was automatically locked due to age.
  • +1

    Hello Betsy Pepels,

    haven't seen the GFP/ prefix before, it's not listed in Comparison of Sophos's Malicious File Detection Technologies (and I don't have an idea what it could stand for). This is the on-premise ESC version?

    Did on-access detect these alleged threats? The Anti-Virus and HIPs log should show the details. This might (just an assumption, I'm not Sophos) have been a "leaked experimental detection" that slipped through QA (this could also explain the No actions in QM). Apparently this detection has been removed (please note that this alone normally doesn't remove the items from the list). Somehow a number of items has been "dealt with" - maybe you'll find something in the log. 

    just a harmless bug
    whatever it was, perhaps someone from Sophos could explain - although yours seems to be the only report.

    haven't been changed in the last few months, and are typically part of applications considered safe
    how do you tell they haven't? The dates in the file system are no proof, only a fingerprint (checksum, hash, ...) would be. Wouldn't subscribe that these applications can be considered safe [;)].  Joking aside - all the items on the screenshot are executables and this could be the symptom of a PE infector.

    Christian

  • 0 in reply to QC

    Thanks Christian. 

    >Did on-access detect these alleged threats?
    Yes.

    >The Anti-Virus and HIPs log should show the details.
    I can't find those logs ... Suggestions where to look? 

    >someone from Sophos could explain
    I hope so ... 

    >how do you tell they haven't? The dates in the file system are no proof
    Agree! 

    >the symptom of a PE infector
    Agree! Anyhow, I'm not using my laptop for sending email, making payments or whatever could be unsafe until this is cleared up.
    I'm very suspicious. I once suffered from a zero day attack with minimal symptoms. 

     

    Betsy 

  • 0 in reply to Betsy Pepels

    Hello Betsy,

    the Anti-Virus and HIPs log from the GUI: View anti-virus and HIPS log which displays the log of the current month. Or open %ProgramData%\Sophos\Sophos Anti-Virus\logs\SAV.txt with an editor. The \logs\ directory also contains archived AV logs (by default 4) and the scheduled scans' logs.

    If memory serves me right I've encountered such a "runaway detection" twice (not counting the infamous Shh/Updater). Guess Sophos staff is also reading this and they'd object if I were totally wrong and an unspoken no comment would mean you don't have to worry.

    If you want to be really sure that these files are clean I'd suggest that you boot with some Live Linux, copy (some of) the files, and send them as samples.

    Christian 

     

Unfiltered HTML