Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 11683 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

threat dismissed vs threat cleaned up vs threat detected !! Need better clarity on the sophos action on the malware

Renju Jacob

Hi,

 

Can someone tell me the difference between threat dismissed and threat cleaned up? we do have a siem tool in which sophos logs are integrated. Looking on the sophos logs i could see various action performed by the sophos on malware. Below are the list:

Event::Endpoint::Threat::Detected

Event::Endpoint::Threat::CleanedUp

Event::Endpoint::Threat::Dismissed

Event::Endpoint::Threat::CleanupFailed

 

Here is the sample log of the threat dismissed:

What does it actually mean? Does it mean that the malware was present on the host and it successfully cleaned or is it that sophos does not have the access to the file and dismissed.

2017-10-18T04:49:15.538Z rt="2017-10-18T04:49:15.538Z"; endpoint_id="XXX3-f3e0-348b-f8fe-XXXXX"; end="2017-10-18T04:49:14.000Z"; severity="low"; duid="5XXXXXX the threat?5b"; whitelist_properties="{}"; dhost="XXXXX"; endpoint_type="computer"; threat="JS/FakeAle-SG"; suser="XXXX"; group="MALWARE"; customer_id="exxdxxx-3xxxxc-cxx-abf897302372"; type="Event::Endpoint::Threat::Dismissed"; id="xXXX-686c-XXX-5XXc-axxxx9fe"; name="Malware locally cleared:'JS/FakeAle-SGat 'C:\XXXXXXta\Local\GooglXXX\User Data\Default\Cache\f_001d18'";

 

In certain scenarios i would get threat dismissed logs directly  for certain signature on host even without getting the detected logs. Can someone shed light on this scenario

Summing up my understanding here

If the malware has initiated  on host and sophos detects it it would come under the  category threat detected

If the malware was cleaned up it would come under the  category Threat::CleanedUp

If the malware was not  cleaned up it would come under the  category Threat::CleanedUp failed

If the malware not initiated and sophos able to clear it  will it come under the Threat::Dismissed . is this assumption right?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Renju Jacob,

    I assume Threat dismissed is equivalent to Threat no longer present. In the above example it's the browser cache, the initial intervention (i.e. blocking the file) might have resulted in a deletion by the application.

    Christian

  • 0 in reply to QC

    Hi Christian,

    Thanks for the reply. Is there any sophos document that states the intent. From your comment the impression  that i got is that the malware got cleaned even before malware is initiated(run). 

    Applying the logic below logs.

    017-10-05T18:45:33.746Z rt="2017-10-05T18:45:33.746Z"; end="2017-10-05T18:45:32.000Z"; severity="low"; duid="xxxxx"; whitelist_properties="{}"; dhost="Renju"; threat="Mal/Sality-B"; endpoint_type="computer"; endpoint_id="xxxxx-xxxx-1xxxx-xxxxxx"; suser="Renju"; group="MALWARE"; customer_id="xxxx-3xxx-9-cxx-xxxxxxx"; type="Event::Endpoint::Threat::Dismissed"; id="xxxx-xxx-xx-dxx-xxx"; name="Malware locally cleared: 'Mal/Sality-B' at '\\renju\theserver\Apps\renjuapp \renjuappptest\Setup_EA.exe'";

     

    User renju copied the .exe file to the laptop but didn't run the setup. Meanwhile sophos detected it as Mal/Sality-B and threat been dismissed it.  The threat dismissed directly came because it was not initiated(.exe file was didnt run).

    If it would have initiated it would first detect( threat detected) then follow either cleaned up or cleaned up failed . is that right?

     so for dismissed can we rely that malware is not present anymore on the host.

  • 0 in reply to Renju Jacob

    Hello Renju Jacob,

    most detections (not talking about Intercept X) are pre-execution, the prefix is an indicator. A file is scanned when it is opened for reading or, when scan on write is enabled, closed after writing. In the latter case it's clearly not about to run, even in the former case it's not necessarily opened for execution (e.g. if you display the folder containing the threat in Explorer).

    if [...] initiated
    as said, on-access intercepts an open regardless of its intent, even if it's about to get executed it's not yet loaded and thus not initiated. A cleanup doesn't instantly follow the detection, normally a cleanup routine is dispatched which might also perform an additional limited scan to search for associated items (file system, registry, processes). Under certain conditions the file might disappear before cleanup takes action on it (e.g. the browser deletes it from its cache).

    Not sure what exactly happened in the above case, please check the AV log (SAV.txt) on the laptop (renju, isn't it). What was the source location of the Setup_EA.exe?

    Christian

Reply
  • 0 in reply to Renju Jacob

    Hello Renju Jacob,

    most detections (not talking about Intercept X) are pre-execution, the prefix is an indicator. A file is scanned when it is opened for reading or, when scan on write is enabled, closed after writing. In the latter case it's clearly not about to run, even in the former case it's not necessarily opened for execution (e.g. if you display the folder containing the threat in Explorer).

    if [...] initiated
    as said, on-access intercepts an open regardless of its intent, even if it's about to get executed it's not yet loaded and thus not initiated. A cleanup doesn't instantly follow the detection, normally a cleanup routine is dispatched which might also perform an additional limited scan to search for associated items (file system, registry, processes). Under certain conditions the file might disappear before cleanup takes action on it (e.g. the browser deletes it from its cache).

    Not sure what exactly happened in the above case, please check the AV log (SAV.txt) on the laptop (renju, isn't it). What was the source location of the Setup_EA.exe?

    Christian

Children
Unfiltered HTML