Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 7599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only "Authorize" option in "Available actions"

Mixit

My Sophos anti-virus has Quarantined a worm regsvr.exe but in the quarantine manager there is just one Authorize option in front of it. Why is the delete option not available?

:2387


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    The file: "c:\Windows\System32\regsvr.exe" was detected by HIPS as performing suspicious behaviour and was classified as HIPS/ProcMod-007.

    Essentially Sophos has not classified it as malware at that given point in time but the behaviour of the file suggest caution is advised.  It is therefore the administrator’’’’s decisions to trust it if you know the file or to block it if you have reason to question it.  Unless you created the file yourself, the only real way is to know for sure is to send it to Sophos Labs.  They will then be able to inform you if this file, in its own right is something you wish to trust or not. The Action tab on the following page:

    http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsprocmod007.html

    says pretty much that.

    So it may have been something malicious and judging by the filename I would say it probably was, as the typical Windows file would be called:
    "C:\Windows\System32\regsvr32.exe"

    And it looks like the malware author has tried to use what looks a likely Windows file name to help hide the file. A quick search on the Sophos site for "regsvr.exe" backs up this is highly likely to be malicious but possibly a new variant.

    I would suggest sending the file to Sophos Labs if you still have it so Sophos can detect it as malware if that's what it should be.  It maybe that it now is detected as malware, in which case HIPS did it's job in supplementing the more traditional signature based approach. So even without speicifc detection you were alerted to the malware.

    I hope this helps.

    Jak

    :2967
Reply
  • 0

    Hi,

    The file: "c:\Windows\System32\regsvr.exe" was detected by HIPS as performing suspicious behaviour and was classified as HIPS/ProcMod-007.

    Essentially Sophos has not classified it as malware at that given point in time but the behaviour of the file suggest caution is advised.  It is therefore the administrator’’’’s decisions to trust it if you know the file or to block it if you have reason to question it.  Unless you created the file yourself, the only real way is to know for sure is to send it to Sophos Labs.  They will then be able to inform you if this file, in its own right is something you wish to trust or not. The Action tab on the following page:

    http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsprocmod007.html

    says pretty much that.

    So it may have been something malicious and judging by the filename I would say it probably was, as the typical Windows file would be called:
    "C:\Windows\System32\regsvr32.exe"

    And it looks like the malware author has tried to use what looks a likely Windows file name to help hide the file. A quick search on the Sophos site for "regsvr.exe" backs up this is highly likely to be malicious but possibly a new variant.

    I would suggest sending the file to Sophos Labs if you still have it so Sophos can detect it as malware if that's what it should be.  It maybe that it now is detected as malware, in which case HIPS did it's job in supplementing the more traditional signature based approach. So even without speicifc detection you were alerted to the malware.

    I hope this helps.

    Jak

    :2967
Children
No Data
Unfiltered HTML