Sophos XG and AP/APX users may experience issues registering to Sophos Central. More info available here: XG Firewall - Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
Hi, in my sophos central i find a pc with STATUS - Security Health - Running malware in quarantine or cleanup failure but in the event log are present only this warning/error entry:
Nov 20, 2018 12:13 PM Running malware locally cleared: 'HPmal/Crusher-N' at 'C:\Windows\SysWOW64\cmd.exe' Nov 20, 2018 12:13 PM Running malware detected: 'HPmal/Crusher-N' at 'C:\Windows\SysWOW64\cmd.exe'
There aren't other warning.
What should I do to solve the problem?
Hi Fonderia Corra
This event says that the malware is detected and cleared. Hence I would consider that the endpoint is safe right now. I would still suggest running a full scan on the endpoint just to be sure.
In reply to Adithyan Thangaraj:
Hi Adithyan Thangaraj,
the computer status in sophos central still be critical. How reset or resolve this status?
In reply to Fonderia Corra:
Thank you for your kind response. First, we have to identify whether this is a reporting issue or the endpoint still has a running malware in quarantine. To determine that, Please DM me with screenshot of its status in Central and also a screenshot of the endpoint status from the computer itself. Based on the result, we can proceed further with different steps towards resolution.
Has anything come of this? I have this same warning and after scanning it with Sophos and Malwarebytes, it is still showing Critical in Sophos Central. With it being in the SysWOW64 I don't assume I can just delete it.
In reply to Daniel Smith4:
Consider running Microsoft Autoruns to see if there are any unusual programs that are running automatically, and is triggering the detection.
Sometimes it's a scheduled task that is running a script that seems unusual but may be causing behavior that is malicious and is triggering a detection.
For more information on MS Autoruns I recommend you read the official article here: https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx.
Once you have located the process that is running some script that seems unusual, you can send the script sample or so that is being run to Sophos Labs for further review, and remove this from your machine. Once done, do another system scan to see if something is still being detected.