Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 7599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only "Authorize" option in "Available actions"

Mixit

My Sophos anti-virus has Quarantined a worm regsvr.exe but in the quarantine manager there is just one Authorize option in front of it. Why is the delete option not available?

:2387


This thread was automatically locked due to age.
  • 0

    Hello Mixit,

    please tell us which type and name of threat the quarantine manager displays.

    Christian

    :2388
  • 0

    I can think of only one possibilities here:

    * you don't have the rights to tinker with the Sophos installation. Only your Sophos Administrator can review the malware, evaluate it and then take appropiate action. This is all done remotely. He doesn't have to visit your machine.

    :2428
  • 0

    Per default SophosAdministrator and SophosPowerUser have all rights for dealing with an item in quarantine manager whereas SophosUser has none - not even authorize. Would be surprised as "authorize" is potentially more dangerous than delete (dangerous in terms of infection - not crippling the OS :smileywink:)

    Christian

    :2429
  • 0

    Hi Christian 

    These are the details

    Type: Suspicious behavior
    Name: HIPS/ProcMod-007
    Details: c:\Windows\System32\regsvr.exe
    Available actions: Authorize

    Thanks

    :2449
  • 0

    Hi

    I just installed Microsoft Security Essentials and got rid of the worm! :P

    :2450
  • 0

    Hi

    I too have this problem of suspicious items in quarantine only having the option to authorize.

    I'm using xp home, and the files are Sus/ComPack-B & NirCmd. I've been told that NirCmd in particular might not be a threat, but how do you tell that?

    Thanks.

    :2966
  • 0

    Hi,

    The file: "c:\Windows\System32\regsvr.exe" was detected by HIPS as performing suspicious behaviour and was classified as HIPS/ProcMod-007.

    Essentially Sophos has not classified it as malware at that given point in time but the behaviour of the file suggest caution is advised.  It is therefore the administrator’’’’s decisions to trust it if you know the file or to block it if you have reason to question it.  Unless you created the file yourself, the only real way is to know for sure is to send it to Sophos Labs.  They will then be able to inform you if this file, in its own right is something you wish to trust or not. The Action tab on the following page:

    http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsprocmod007.html

    says pretty much that.

    So it may have been something malicious and judging by the filename I would say it probably was, as the typical Windows file would be called:
    "C:\Windows\System32\regsvr32.exe"

    And it looks like the malware author has tried to use what looks a likely Windows file name to help hide the file. A quick search on the Sophos site for "regsvr.exe" backs up this is highly likely to be malicious but possibly a new variant.

    I would suggest sending the file to Sophos Labs if you still have it so Sophos can detect it as malware if that's what it should be.  It maybe that it now is detected as malware, in which case HIPS did it's job in supplementing the more traditional signature based approach. So even without speicifc detection you were alerted to the malware.

    I hope this helps.

    Jak

    :2967
Unfiltered HTML