Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2568 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non existent PUA/Malware in registry

NickB

I'm seeing LOTS of messages like this:

"HKU\GUIDofaUSER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).

Usually for every Roaming profile currently cached on the machine. The first entry is usually preceded by:

File "C:\Documents and Settings\USER1\Local Settings\Temporary Internet Files\Content.IE5\9UEQ0TJA\popup[1].htm" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).

Registry value "HKU\GUIDofUSER1\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).

 Registry value "HKU\GUIDofUSER2\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).

Sometimes that first entry is identified as a Java exploit and the same registry keys are reported, but this time with reference to the Java Malware.

However since there is a GPO that sets this flag I am somewhat confused. I also cannot clean it up from the console, I get

'None of these alerts can be cleaned up'.

So I suppose my query is three fold:

1) Is this a false positive, and if so how can we eliminate them?

2) How is it there is a file in the internet cache that is being detected as potentially unwanted when I've got on access scanning for PUA and HIPS, with web scanning set to 'As Access'?

3) How do I clean it up (at the very least there is the remnants of something in the user's TIF or Java cache)?

Many thanks

Nick

:9681


This thread was automatically locked due to age.
  • 0

    Hello Nick,

    I'll start with short answers to your three fold query

    1) probably not

    2) AFAIK PUAs will not be blocked by web content scanning (and thus may end in the cache) - but I might be wrong. It's also possible that the item in the cache predates detection

    3) if SEC does not offer cleanup you should be able to remove them with a custom scan (or just delete the cache contents)

    The registry key itself does not trigger detection - but if certain PUA is detected SAV also scans for this key to inform you of a (potential) modification by the PUA. Thus the message about the key is not a false positive. If this key is set to disable you'll get the message every time something known to modify this key in this manner is detected.

    HTH

    Christian 

    :9699
  • 0

    Hi Christian,

    Thanks for your reply.

    Surely Sophos ought to be blocking the types before the ever got to disk? I see tens of these every day. Given that clean up from the console fails every time for items in TIF or the Java Cache, I'd have to visit every infected machine and I have some concerns about about logging on as an Administrator onto a 'known infected' PC.

     Currently we aggressively purge roaming profiles so no machine reports a particular threat for more than a few days, but while this strategy works for blocked threats, it makes it nearly impossible to spot items of genuine concern amongst all the noise.

    There must be a better way? Perhaps create a custom scan task using schtasks and sav32cli?

    N.

    :9727
  • 0

    Hello Nick,

    every infected machine

    Detection does not mean infection but I can understand your concern about logging on locally as admin (something I never do except for forensics - but only when the machine is isolated). Due to a lack of samples I can't test whether a custom scan with Scan for adware and PUA and Automatically clean up adware and PUA will do what you want. You could also delete certain files remotely.

    As for blocking - Adware and PUAs are a grey area and while some of these "things" do modify settings they can't be generally classified as malicious (because for example they do the modification only at install time) and Sophos is less aggressive in dealing with them.

    Christian

    :9757
Unfiltered HTML