This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA's in Shadowcopy on Windows server 2008

I am getting hundreds of PUA's errors within Shadowcopy on a windows Server 2008 and trying to work out how to delete them.

 

I have tried disabling and removing shadowcopy on the affected drives but this has had no effect.

 

Any Ideas ?



This thread was automatically locked due to age.
  • What are the names of the PUAs?  Could they be something you could just authorize?

    Regards,

    Jak

  • Mainly files that are infected with the following:-

    Troj/Caphaw-AN

    Troj/CeeInj-N

     

    and files such as 

    Path: \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Users Shared Folders\StephenT\AdwCleaner\Quarantine\C\Users\StephenT\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir

    What was detected: Generic PUA JL

  • OK, so there is a mix of malware (Troj/Caphaw-AN, Troj/CeeInj-N) and non-specific Potentially Unwanted Applications (PUAs) in the form of "Generic PUA JL".

    I'm guessing this didn't help: https://community.sophos.com/kb/en-us/114422 ?

    I was think it you just had maybe things like pskill, psexec, PUAs you could just authorize them in policy.

    Regards,

    Jak

  • Hello Paul,

    \Users Shared Folders\StephenT\AdwCleaner\Quarantine ... DaemonProcess.exe.vir
    hm, something AdwCleaner thought it has to put in quarantine? Are the User Shared Folders (or perhaps some folder on the path) excluded from on-access scanning?

    Christian

  • This isnt actually in the uers sharedfolders its in a shadowcopy version of it which the user hasnt got access to,

     

    My guess is that Sophos hasnt got write access to iy either hence it is failing remove.

  • Hello Paul,

    the user hasn't got access to
    I was thinking of on-access scanning on the server. The files must have existed in their original location so I'd expect a corresponding detection there. If they are removed subsequent shadow copies should be clean. Recurring detections (on other copies) would suggest that the offending files are still there.
    And yes, they can't be removed (other than by destroying the copy). I assume it's different copies each time.

    Christian