Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 12334 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not all users catch a malware via Endpoint [Sent from PhishThreat]

Dave Goodrich

Good afternoon,

We ran a new PhishThreat campaign this morning against all employees and we have differing results on how Sophos handled the email.

Some users, me for instance, when clicking the attached document, see that Endpoint refused access to the attachment. Other users are not seeing that and they are allowed to open the attachment, enable editing, and enable macros. Endpoint raises no alerts for them.

When I check the user's device all services are up to date and running. Reports show no malware activity on their machine. On my machine, the malware attachment is detected and stopped and the detection is shown in the logs.

I have searched through the settings and compared the configuration on multiple machines and can find no reason why Endpoint catches the malware on my machine, and not on others.

What am I missing?

DAve



This thread was automatically locked due to age.
  • 0

    Can you provide some logs and screenshots from your computer as to how it was blocked?

    SAV.txt maybe useful - \programdata\sophos\sophos anti-virus\logs\ if it contains reference to the threat.

    Is this mail being received in Outlook, OWA, some other web interface?  I'm curious to know how it was detected on your computer, e.g. was it on-access scanning as the file was written to disk, did it launch a web browser or were you in a web browser and web protection blocked it etc.. 

    This will help me understand which "hook/layer" it was intercepted at to consider possible options.  For example, is it requiring a live lookup to detect it or is it detected with local threat data, etc..

    Regards,

    Jak

  • 0 in reply to jak

    We use a web based email client, Zimbra, throughout the City. The alert is below,

    The sav.txt for today from my machine,

    20171026 202611    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980482 items.
    20171027 002613    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980521 items.
    20171027 052629    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980546 items.
    20171027 134632    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 134632    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 155850    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 155850    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 162626    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980573 items.
    20171027 164533    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 164533    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 180117    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 180117    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 190725    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 190725    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 190834    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 190834    Virus/spyware 'CXweb/DocDl-A' has been detected at "https://webmail.greenfieldin.org/service/home/~/?auth=co&..."

     

    All of our users are on the same web client, same Sophos policy, same OS version.  Here is the sav.txt for today from another IT office machine that Sophos allows the attachment to be opened.

    20171026 203426    User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20171027 003954    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980521 items.
    20171027 043939    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980546 items.
    20171027 164000    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980573 items

     

    Looking through the PhishThreat report for that campaign shows no clear reason why some machines are allowed to open the attachment, and some are not. We are baffled.

    DAve

  • 0 in reply to Dave Goodrich

    Hi Dave,

    Could you raise a support case please, we want to understand what is happening here because you should be seeing consistent results.

    If you can start our "Endpoint Self Help" software on a machine that saw a detection and one that didn't, then select the 'Launch SDU' option, this will collect all the logs up and put them in a zipped folder. If you can go to https://secure2.sophos.com/en-us/support/contact-support.aspx and raise a technical support ticket and provide the logs we can take a proper look at what is happening.

  • 0 in reply to Dave Goodrich

    I'm a little confused as the desktop notification has a local path to the file.  This therefore looks like an on-access detection.

    The sav.txt suggests that they are alerts from web protection.

    I would first check that if you go to:

    http://sophostest.com/eicar/index.html

    you get:


    If you go to:

    http://sophostest.com/malware/index.html

    you get:


    It would be good to confirm that web protection is working on these computers.

    Are all computers using the same OS and web browser version?  What are they?

    Regards,

    Jak

  • 0 in reply to jak

    Jak,

    Yes, I get those warnings on my machine and on one of the machines that allowed the document to be opened. I have run the SDU on my machine and I am running it now on another.

    I have opened a support ticket, #7671690, but getting to it may be a problem. My password for Sophos support does not seem to work this morning. I know I have a login as I have opened support tickets before. I cannot locate the password reset button.

    okta.com and doubleclick are dragging the Sophos site down.

    DAve

  • 0 in reply to Dave Goodrich

    Jak,

    I got into the support case and uploaded the two SDU outputs, but it does not show me that the files are there. Can you check to see if the uploads completed?

     DAve

     ---- Jak, the SDU outputs have been uploaded via FTP. Please let me know if you have access to them.

  • 0 in reply to Dave Goodrich

    I uploaded a list of installed software, OS version, and Office version on some PC that allowed and disallowed the attachment to be opened to the support ftp site yesterday. I thought it might help the techs. They did try to call but our offices close at 4pm DST.  I enabled support on our system as requested.

    No word yet.

    DAve

Unfiltered HTML