Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 12340 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not all users catch a malware via Endpoint [Sent from PhishThreat]

Dave Goodrich

Good afternoon,

We ran a new PhishThreat campaign this morning against all employees and we have differing results on how Sophos handled the email.

Some users, me for instance, when clicking the attached document, see that Endpoint refused access to the attachment. Other users are not seeing that and they are allowed to open the attachment, enable editing, and enable macros. Endpoint raises no alerts for them.

When I check the user's device all services are up to date and running. Reports show no malware activity on their machine. On my machine, the malware attachment is detected and stopped and the detection is shown in the logs.

I have searched through the settings and compared the configuration on multiple machines and can find no reason why Endpoint catches the malware on my machine, and not on others.

What am I missing?

DAve



This thread was automatically locked due to age.
Parents
  • 0

    Can you provide some logs and screenshots from your computer as to how it was blocked?

    SAV.txt maybe useful - \programdata\sophos\sophos anti-virus\logs\ if it contains reference to the threat.

    Is this mail being received in Outlook, OWA, some other web interface?  I'm curious to know how it was detected on your computer, e.g. was it on-access scanning as the file was written to disk, did it launch a web browser or were you in a web browser and web protection blocked it etc.. 

    This will help me understand which "hook/layer" it was intercepted at to consider possible options.  For example, is it requiring a live lookup to detect it or is it detected with local threat data, etc..

    Regards,

    Jak

  • 0 in reply to jak

    We use a web based email client, Zimbra, throughout the City. The alert is below,

    The sav.txt for today from my machine,

    20171026 202611    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980482 items.
    20171027 002613    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980521 items.
    20171027 052629    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980546 items.
    20171027 134632    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 134632    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 155850    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 155850    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 162626    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980573 items.
    20171027 164533    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 164533    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 180117    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 180117    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 190725    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 190725    Virus/spyware 'CXweb/DocDl-A' has been detected at "webmail.greenfieldin.org/.../
    20171027 190834    Access to location "webmail.greenfieldin.org/.../ was blocked for user GREENFIELDIN\DGoodrich
    20171027 190834    Virus/spyware 'CXweb/DocDl-A' has been detected at "https://webmail.greenfieldin.org/service/home/~/?auth=co&..."

     

    All of our users are on the same web client, same Sophos policy, same OS version.  Here is the sav.txt for today from another IT office machine that Sophos allows the attachment to be opened.

    20171026 203426    User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20171027 003954    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980521 items.
    20171027 043939    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980546 items.
    20171027 164000    Using detection data version 5.44 (detection engine 3.70.2). This version can detect 13980573 items

     

    Looking through the PhishThreat report for that campaign shows no clear reason why some machines are allowed to open the attachment, and some are not. We are baffled.

    DAve

  • 0 in reply to Dave Goodrich

    Hi Dave,

    Could you raise a support case please, we want to understand what is happening here because you should be seeing consistent results.

    If you can start our "Endpoint Self Help" software on a machine that saw a detection and one that didn't, then select the 'Launch SDU' option, this will collect all the logs up and put them in a zipped folder. If you can go to https://secure2.sophos.com/en-us/support/contact-support.aspx and raise a technical support ticket and provide the logs we can take a proper look at what is happening.

Reply Children
No Data
Unfiltered HTML