This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Daily detection notifications on AppData\Local\Temp files - Can't remove...

Hi

I keep getting regular Adware detection notifications from 2 of our workstations.  Both were clean Windows 7 installations.  The initial detections occurred during the initial sync of Google Drive.  Everyday I perform clean ups on the affected workstations but then only a few hours later they are detected again.  Even if I authorise the detection another similar temp file flags up again.

Computer name LT-LEWISSA
Computer description
Operating system Windows 7
Service pack Service Pack 1
Domain/workgroup SCHOOL
IP address 
Sophos Anti-Virus version 10.3.15 VE3.63.0
HIPS rules 10.3.178.1
HIPS configuration 1.0.65.1
Detection data 5.25
On-access scanning Active
Anti-virus and HIPS policy
Last scheduled scan completed
Last message received from computer 17/03/2016 08:17:48
Up to date Not since 17/03/2016 01:27:44
Updating policy
Time installed package became available 15/03/2016 10:56:08
Time next package became available 17/03/2016 00:27:44
Primary update server \SophosUpdate\CIDs\S000\SAVSCFXP\
Secondary update server
Client firewall enabled
Client firewall policy
Client firewall version
Client firewall mode
Sophos NAC policy
Compliance Agent (NAC) version
Sophos NAC compliance assessment
Application control policy
Application control on-access scanning Inactive
Data control scanning status Inactive
Device control scanning status Active
Data control policy compliance
Device control policy compliance
Full disk encryption
Encrypted volumes
Unencrypted volumes
Full disk encryption policy
Encryption agent version
Hardware encryption
Power-on authentication enabled
Wake on LAN enabled
Tamper protection status Inactive
Tamper protection policy compliance
Patch assessment
Patch policy
Patch agent version
Web control status Inactive
Web control policy
Group \Unassigned

Outstanding alerts and errors

Items detected Date/time first detectedType Cleanup status Name Sub-type Details File version
17/03/2016 08:17:47 Adware or PUA Cleanable 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmprssilj

History

Items detected Date/time Type Name Sub-type Details File version Action taken Username


17/03/2016 08:17:47 Adware or PUA 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmprssilj Blocked SCHOOL\*******
16/03/2016 09:56:20 Adware or PUA 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmptawc4b Removed from quarantine listNT AUTHORITY\SYSTEM
16/03/2016 09:21:24 Adware or PUA 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmptawc4b Blocked SCHOOL\******** 
15/03/2016 15:28:53 Adware or PUA 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmprqzrys Removed from quarantine listNT AUTHORITY\SYSTEM
15/03/2016 15:24:22 Adware or PUA 4Share DownloaderOther C:\Users\REMOVED\AppData\Local\Temp\tmprqzrys Blocked SCHOOL\*******

I haven't got the information from the second workstation however I do remember that the apparent detections were reported as 'SoftPulse' and they were again in AppData\Local\Temp

Our Sophos Enterprise Console product version is: 5.2.0.644

Our Sophos Endpoint Security and Control version is: 10.3

We are using Windows 7 Professional X64 SP1

Please can anybody help?

Kind Regards

Tom



This thread was automatically locked due to age.
Parents
  • Hello Tom,

    seems the PUA is on the drive, it's detected in the item in \Temp\ and blocked. Likely it's not actually synchronized. The Removed from quarantine list is probably in response to the Cleanup request and suggests that the item is no longer there (perhaps the sync cleans up). Naturally this sequence will be repeated with every sync. As long as the PUA resides in the cloud you can't get rid of it with the local AV.

    authorise the detection
    what exactly did you do? For PUA you authorize a certain application, i.e. all items which are detected as belonging to this PUA. Thus if you authorize, say,  SoftPulse you should no longer get a detection for it (on endpoints which have this AV policy assigned of course).

    Christian

  • Hi Christian

    Thank you for taking your time to reply.

    I have attempted a one off authorisation (under the clean up windows) and the infection comes back.  I then later added '4share downloader' and 'SoftPulse' to the list of authorised PUA/Adware list.  The latter did resolve the issues of recurring notifications but I'm concerned that I'm weakening my endpoint protection.

    Can you explain why, if the infected file is in the cloud, that the file appears to be in the Temp folder within AppData, rather than C:\users\%username%\Google Drive ?

    Thank you once again

    Kind Regards

    Tom

  • Hello Tom,

    a one off authorisation (under the clean up windows)
    on the endpoint (client)?

    I'm weakening my endpoint protection
    Now, PUA is not malicious in the narrower sense. It can be (more than) a nuisance for the user, it might be something you don't want on your network (for productivity or legal reasons), it might  be something legitimate which could be abused or a sign of abuse (like the NirSoft suite or some of the PsTools). Yes, there is an additional risk - how big depends on the specific application. And I've seen some PUAs that managed to get "promoted" to the Mal/ and Troj/ categories.

    why [...] in the Temp folder?
    I'm not familiar with the Google Drive client, but guess it does some decoding and verification before writing the file to its final destination.

    Christian

Reply
  • Hello Tom,

    a one off authorisation (under the clean up windows)
    on the endpoint (client)?

    I'm weakening my endpoint protection
    Now, PUA is not malicious in the narrower sense. It can be (more than) a nuisance for the user, it might be something you don't want on your network (for productivity or legal reasons), it might  be something legitimate which could be abused or a sign of abuse (like the NirSoft suite or some of the PsTools). Yes, there is an additional risk - how big depends on the specific application. And I've seen some PUAs that managed to get "promoted" to the Mal/ and Troj/ categories.

    why [...] in the Temp folder?
    I'm not familiar with the Google Drive client, but guess it does some decoding and verification before writing the file to its final destination.

    Christian

Children
  • Hi Christian

    In answer to your first question: I have in the past authorised (I know think it's called 'acknowledge) the temp file.  I do so from the Enterprise console though.

    I think you're probably right.  If Google drive is writing to a temp folder before then writing to it's final destination.  Sophos then blocks the temp file before the file is written.  I guess next time Google drive syncs the process repeats.  I'll have a search through their cloud and see if I can see anything that stands out.

    Thanks Christian

    Kind Regards

    Tom

  • Hello Tom,

    it's called 'acknowledge [...] from the console
    just to clarify: The only way to authorize something from the console is by editing the Anti-Virus and HIPS policy, button Authorization ....
    Acknowledge is just this, it marks an alert as acknowledged - neither does it act on the item, nor change what's listed in the local Quarantine Manager, nor does it influence future detections. Please note that Authorization behaves differently for PUAs (it's per application, i.e. everything detected as belonging to this application is authorized - "version insensitive" but it might fail to recognize a newer version)  and the other items (the checksum is also recorded, thus if you authorize a certain suspicious setup.exe it won't apply to other setup.exes).

    Christian