This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

powershell virus

Dear All,

Virus detect by Symantec that use powershell and spend almost 100% CPU. Nothing detect by Sophos.

I am stop process of powershell and it will back again later.

Anything I can do to clean this virus?

 

Thanks a lot!

 

Chuck

 

 



This thread was automatically locked due to age.
Parents
  • Hi Chuck,

    I work in the malware support team in Sophos, i can see you have been getting a lot of useful advice already. I can't see any reference to using the Microsoft Autoruns tool though, this tool will provide you a list of everything that is set to load when you boot the machine, including scheduled tasks and entries in the WMI database, both of which are commonly used in these type of cryptojacking attacks at the moment.

    If you could raise a support case with us and then send me the case number i can give you instructions for you to collect and provide me the logs. Once i have found what is causing it we can publish the information here for others, removing all data that relates to you of course. 

  • Why cant just Sophos simply do what other Antivirus are doing by default. Detect them.

    After spending so much money on you, why do want us to sit with you and research again from the scratch?

Reply Children
  • Sadly no solution can provide 100% protection however many layers you add so dealing with malware manually to obtain samples and remove modifications will always be required unless you're happy to re-image on any infection but even then it's important to learn as much as possible about what happened to know if other devices are involved.  I think you have to take the stance that at some point you will be infected and the question is then what solutions/procedures do you have to speed up detection and determine what happened.

    It may well be that a computer was infected before you install a solution in which case maybe only a few component are detected others may need to be removed by hand.  If the solution wasn't in place when the malware was run the solution didn't have the chance to record events and observe the behaviour to convict on.  This is another scenario but helps to understand the layers of a security solution.

    Malware is a bit like someone breaking into your house, re-arranging all the furniture and hide some bedbugs.  Without a reference (malware sample might do) to where everything was it's hard to put everything back and maybe hard to find all components.  As some of the components of the malware might not be inherently malicious it maybe hard to classify some component in isolation.  For example, malware could drop a Powershell script to simply ping a server as part of a bigger solution.  The script in itself doesn't do anything malicious and it could be a one liner so hard to write specific detection for.  In this case, it might only be part of a cleanup rule if it was found in the presence of a primary marker, but if that is gone then the cleanup wouldn't work so you could get left with remnants of the infection which are benign but unexpected.

    Clearly if you find yourself dealing with infection after infection despite running Sophos in line with best practice something is amiss, and it would be worth reviewing the attack vector to see why and how it bypassed the defence for that channel in.

    Regards,
    Jak

  • Hello Santhosh Battar,

    what other Antivirus are doing by default. Detect them [emphasis mine]
    there's no detection by default. If ever an AV vendor could come up with a solution that detects unknown threats by default this would be the end of both malware and the AV industry.
    How do you think detections are "manufactured" - a bunch of nerds and geeks mulling over the next great detection to invent and after it has been implemented impatiently waiting for a matching threat to be written? Or by reverse-engineering another vendor's detections and adding them to one's own product (or what do you mean by research again from the scratch)?

    Christian