Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 14258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Console alert on Linux Machine file copied from a Windows machine

DavidCluley

Files flagged as Virus/spyware in Enterprise Console report are files from a Windows Server 2008 R2 machine backed up nightly to a Linux Mint Cinnamon 17.1 machine which is only used for backups.  The files get deleted by the scanner on the Linux machine but the scanner on the Windows machine has no objection to these files.  I have no idea why the scans on the two machines give different results and no idea about how to investigate further. Suggestions please.



This thread was automatically locked due to age.
Parents
  • 0

    Hello DavidCluley,

    the scanner is in principle platform-independent. If results are repeatedly not the same then the files are perhaps not scanned at all on the Windows side (different settings, exclusions). Also thinkable that the backup transforms (compresses) the files (and in addition Scan on write is disabled on the Windows side). Won't totally exclude some odd format/file structure as the reason.
    As the backups are no threat to the Linux side - what happens if you temporarily disable scanning on the Linux side and scan (make sure they are not excluded) the backups from the W2k8

    So much for general suggestions. Right now the scanner boasts to be able to detect 10,250.049 items - one question is: Is it just one rather specific detection, some similar detections, one or more generic detections, or quite different ones. The other question: Have the affected files something in common, what proportion is affected?

    Christian

Reply
  • 0

    Hello DavidCluley,

    the scanner is in principle platform-independent. If results are repeatedly not the same then the files are perhaps not scanned at all on the Windows side (different settings, exclusions). Also thinkable that the backup transforms (compresses) the files (and in addition Scan on write is disabled on the Windows side). Won't totally exclude some odd format/file structure as the reason.
    As the backups are no threat to the Linux side - what happens if you temporarily disable scanning on the Linux side and scan (make sure they are not excluded) the backups from the W2k8

    So much for general suggestions. Right now the scanner boasts to be able to detect 10,250.049 items - one question is: Is it just one rather specific detection, some similar detections, one or more generic detections, or quite different ones. The other question: Have the affected files something in common, what proportion is affected?

    Christian

Children
  • 0 in reply to QC
    Hi Christian.

    Thanks for your thoughts. The files concerned are only 5 out of a total of 98 000+ items backed up from the Windows machine. The original files were on an XP machine that suffered a motherboard failure. I put the disk from the XP machine into one of my Windows 2008 Server machines and copied the files across from the XP disk for safety. The XP machine was never reinstated so these on the Windows machine are my primary copies and the Linux machine is the backup. Most of the functionality that my XP machine used to have has now been transferred to a Linux Workstation so even the primary copy on my Windows machine is really only a backup in case I suddenly realise there is something I still need to rescue from the original XP setup.

    The detections show 3 cases of Mal/Generic-S in:

    .../WINDOWS/ServicePackFiles/i386/lang/imjpinst.exe
    .../WINDOWS/Help/Tours/mmTour/tour.exe
    .../Program Files/WinRAR/WinRAR.exe

    1 case of Mal/EncPk-ADK in:

    .../Program Files/Common Files/Microsoft Shared/OFFICE12/RICHED20.DLL

    and 1 case of Mal/Zbot-PA in:

    .../Program Files/Borland/Delphi 3/BIN/dcc32.exe

    So, a minute proportion affected and not an obvious common factor.

    Is there anything else I can tell you to help?

    David Cluley
  • 0 in reply to DavidCluley

    Hello David,

    the detections look valid (i.e. not nonsensical although the one in RICHED20.DLL seems a bit strange). Nevertheless, both sides should agree (neither should the engine on Windows miss them nor the one on Linux be more paranoid than its counterpart).
    I'd suggest that you submit the samples to Labs (be careful that the last copy isn't destroyed), depending on the results some further investigation on one of the systems might be necessary.

    Christian

  • 0 in reply to QC
    Thanks Christian.

    I have looked at the instructions for sending samples to Labs. It is a bit late tonight - my brain isn't firing on all cylinders. I'll do it tomorrow when a few more brain cells are operating.

    Thanks for your help

    David
  • 0 in reply to DavidCluley
    The plot thickens. Attempting to follow instructions I tried accessing the Sophos AV locally on the machine but get 'unable to connect' page come up on trying to access localhost:8081. I now find that that page comes up on each of my three linux machines. Weird - not had any trouble with that one before. Enterprise Console reports all three machines as OK and last messages received from them only a few minutes ago so it isn't a connectivity problem and the AV is active in the sense that it is still reporting to EC.

    David
Unfiltered HTML