This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC - PUA exceptions not working?

We constantly have warnings about remcomsvc.exe.

We know the software so it's a bit of a false positive for us. So to save alerts, we placed exceptions under antivirus (C:\Windows\System32\RemComSvc.exe) and also authorized the PUA RemCom under Authorization.

We still keep getting email alerts from loads of our clients. It looks like the exceptions we put in don't work. Any ideas?

 

regards,

Louis



This thread was automatically locked due to age.
Parents
  • Hi  

    I am also interested to know whether exclusions are not working on a few of the devices or it's not working on any of the devices. Please make sure that all the devices have been updated with the latest policy push from enterprise console.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  •    

    Email Alerts below (on access & Weekly scan):

    User: OURDOMAIN\ouruser
    Scan: On-access
    Machine: PC696

    File "C:\Windows\System32\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).


    User: NT AUTHORITY\SYSTEM
    Scan: Weekly Scan (WEDS 0100hrs)
    Machine: PC646

    File "C:\Windows\SysWOW64\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).

    Adware or PUA 'RemCom' has been detected.

  • Hi  

    Please suggest on my previous question whether you are receiving alerts for a few systems or all the systems. 

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Louis-M,

    first of all, you shouldn't use exclusions unless the integrity of the files is sufficiently safeguarded by some other means or the exclusion is absolutely necessary. Authorization is the proper way.

    I haven't seen that exclusions or authorizations aren't honoured (BTW: on-access and on-demand/scheduled scans have independent exclusions). The affected endpoints do comply with the AV&HIPS policy?

    Christian 

  • The exclusions were put in as an attempt to stop the alerts. I didn't think we needed them at the time but put them in to see if they made any difference. I've now taken them out.

    So all that we have is the authorisation enabled as shown.

    The pc's affected (and there are more) do comply with the policy set.

Reply
  • The exclusions were put in as an attempt to stop the alerts. I didn't think we needed them at the time but put them in to see if they made any difference. I've now taken them out.

    So all that we have is the authorisation enabled as shown.

    The pc's affected (and there are more) do comply with the policy set.

Children
No Data