This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Folder Locations

Hello,

I am wanting to know the folder locations once Sophos Anti-Virus has been installed. I am currently having an issue on a machine that is infected with a virus by the name of microsoft.exe (Troj/VB-EDT).

As the anti-virus can not remove this I wanted to locate and submit the file to sophos for further investigation. Currently the file has been quarantined. When I check the console the message I get is:

The attempt to delete the infected file "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\microsoft.exe" failed due to unknown error 0x80070020.

I have looked at the file location but it is no longer there as it is quarantined automatically. Can someone advise of the location of the quarantine folder?

Thank you.

:429


This thread was automatically locked due to age.
Parents
  • Hi,

    By default, the malware isn't moved to a quarantine directory, the quarantine within Sophos Endpoint Security and Control provides a shortcut to the malware and actions the user can perform on it. The link really provides you just with the path to save you rescanning the disk again to locate it.

    If you do configure actions on detecting malware, the default location to move the malware to is:
    "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\"
    "C:\documents and settings\All users\Application data\Sophos Anti-Virus\INFECTED\"

    So depending on your configuration it may be there but it looks like an attempt has already been made to delete the file if you have the error:
    "The attempt to delete the infected file "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003
    330-1013\microsoft.exe" failed due to unknown error 0x80070020."

    So it looks like you have either tried to clean-up the malware or you have the action set to delete.

    For your example I would do as follows:
    1. Open up Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
    2. Go to "Find" - "Find Handle or DLL"
    3. Search for microsoft.exe
    If this returns a result, locate the handle to this file and close it.
    This will confirm it exists, the path to the file, the process with a handle to it and the reason the attempt to delete the file failed.


    If this doesn't return a result I would re-scan the machine to ensure it's still being detected in the same location.  Possibly use CMD.exe to navigate to the directory to check if the file exists in the location.

    Thanks

    :434
Reply
  • Hi,

    By default, the malware isn't moved to a quarantine directory, the quarantine within Sophos Endpoint Security and Control provides a shortcut to the malware and actions the user can perform on it. The link really provides you just with the path to save you rescanning the disk again to locate it.

    If you do configure actions on detecting malware, the default location to move the malware to is:
    "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\"
    "C:\documents and settings\All users\Application data\Sophos Anti-Virus\INFECTED\"

    So depending on your configuration it may be there but it looks like an attempt has already been made to delete the file if you have the error:
    "The attempt to delete the infected file "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003
    330-1013\microsoft.exe" failed due to unknown error 0x80070020."

    So it looks like you have either tried to clean-up the malware or you have the action set to delete.

    For your example I would do as follows:
    1. Open up Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
    2. Go to "Find" - "Find Handle or DLL"
    3. Search for microsoft.exe
    If this returns a result, locate the handle to this file and close it.
    This will confirm it exists, the path to the file, the process with a handle to it and the reason the attempt to delete the file failed.


    If this doesn't return a result I would re-scan the machine to ensure it's still being detected in the same location.  Possibly use CMD.exe to navigate to the directory to check if the file exists in the location.

    Thanks

    :434
Children
No Data