Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 7839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to clean/delete an uncleanable virus

macoy

Some of my computers here have some uncleanable viruses/spyware. I have already did the full system scan on the affected computer also, after the full system scan I already restarted the computer. (the computer is installed with endpoint security 9 and is managed by enterprise console 4). Also I already updated the endpoint security 9 to its latest version but still to no avail I still receive the virus alert from enterprise console.

Every time I try resolve the alerts and errors on that specific computer that is infected by a virus it always shows that the virus is uncleanable.

How can I clean/delete this virus (Virus/spyware 'Troj/Gida-A') using sophos?

:1711


This thread was automatically locked due to age.
Parents
  • 0

    Not all threats can be cleaned up using the console. And, if I may add, the current behaviour is a little bit confusing. 

    First of all it depends on your AV policy - whether you enable automatic cleanup and what Sophos should do if cleanup fails or is disabled. Then an item may show up as cleanable but cleanup fails or times out (even though the client is online - never found out what this signifies) or results in some other error. See chapters 11 and 12 in SEC Help. Look at the computer details where it has been detected and which action has been taken (right now I see Troj/Badsrc-H on a client with both cleaned up for the URL and blocked for the Content.IE5 subdirectory ... it's no longer present on the machine, if it ever was). 

    As you noticed you are referred to the Security Analyses (which you can also access by clicking the alert in Computer Details) but more often than not you enter a loop at this point unless you decide to pay the client a visit. Check the client's sav.txt - it should tell you where the threat has been found, this information is not always in SEC. You could then take a look if it's still there. Open the quarantine manager on the client - is it there? What actions are available?

    If it is indeed gone acknowledge the alert from the console. If it recurs it could be the user re-visiting a malicious or hacked site. Sorry if this seems even more confusing.

    In short - forget SEC for the moment and try to clean the client locally. If you then can't find out why it recurs, contact support. 

    And another tip: To get a feeling how the various settings (On-access, Web-scanning, cleanup options and so on) affect the results (and alerts you will receive) take a client and play with it. Visit www.eicar.org for a nonhazardous sample.

    Christian       

    :1716
Reply
  • 0

    Not all threats can be cleaned up using the console. And, if I may add, the current behaviour is a little bit confusing. 

    First of all it depends on your AV policy - whether you enable automatic cleanup and what Sophos should do if cleanup fails or is disabled. Then an item may show up as cleanable but cleanup fails or times out (even though the client is online - never found out what this signifies) or results in some other error. See chapters 11 and 12 in SEC Help. Look at the computer details where it has been detected and which action has been taken (right now I see Troj/Badsrc-H on a client with both cleaned up for the URL and blocked for the Content.IE5 subdirectory ... it's no longer present on the machine, if it ever was). 

    As you noticed you are referred to the Security Analyses (which you can also access by clicking the alert in Computer Details) but more often than not you enter a loop at this point unless you decide to pay the client a visit. Check the client's sav.txt - it should tell you where the threat has been found, this information is not always in SEC. You could then take a look if it's still there. Open the quarantine manager on the client - is it there? What actions are available?

    If it is indeed gone acknowledge the alert from the console. If it recurs it could be the user re-visiting a malicious or hacked site. Sorry if this seems even more confusing.

    In short - forget SEC for the moment and try to clean the client locally. If you then can't find out why it recurs, contact support. 

    And another tip: To get a feeling how the various settings (On-access, Web-scanning, cleanup options and so on) affect the results (and alerts you will receive) take a client and play with it. Visit www.eicar.org for a nonhazardous sample.

    Christian       

    :1716
Children
No Data
Unfiltered HTML