Virus DSME keeps apearing on different endpoints with identical location details.

Hello. A strange thing is happening in my sophos management console (v. 5.4.1). A virus alert appeared some days ago. Item detected was DSME. I couldnt clean it up from Management console, but the strange thing was that next day the same virus alert was coming from another end-user and details of the location of this virus were the same of the the user from previous day. Example pc1 showing DSME virus with location c:\user\user1\appdata\local\google\chrome\userdata\default\cache\f_00316e. Next day pc2 is showing same alert with same location which is not possible because the user from first endpoint pc1 never used pc2. It keeps re-apearing on diferent endpoints each day. Did anybody come across someting like this? Google couldnt help me. Any sugestions to fixing this are welcome.

  • Have you checked to see if the folder structure exists even though the user has never used the computer?

  • In reply to badrobot:

    Yes I have checked and the folder structure doesnt exist in the endpoint. It only appears in management console.

  • In reply to Andrea131 King:

    Hmm, did any of these computers get cloned from another or possibly have an ip address swap?  Just trying to think outside the box as to why sophos would see them as the same computer potentially?

  • Hallo Martin - welcome to the UTM Community!

    You might get more people familiar with this issue in the Endpoint Security and Control Community.

    Cheers - Bob

  • In reply to badrobot:

    hi badrobot,

     

    finally i was able to check the folder structure on the original pc of the user and the answer is no , the folder structure is diffent. the last item in cache is not present. full pc scan did not find anything. and im still getting reports of virus on diferent end-users from the non-existing folder structure. ip addresses are diffent for each end-user (IP's are reserved in DHCP). what i also find a bit strange is that the end-point is always replaced with another endpoint. the list of infected endpoints is not getting bigger. its alwasy just one pc that shows this DSME virus. I hope i explained it clear enough

  • In reply to Martin Zmeskal:

    Hello Martin Zmeskal,

    this is, as Bob has mentioned, an Endpoint question. Please join the mentioned group so that this thread can be moved.

    the end-point is always replaced with another endpoint
    This suggests that badrobot is right and one or more cloned endpoints are involved. Please check the Computer details, under Items detected in the History section to the right there's the Username. This should indicate the computer where the detection actually occurred.

    Christian   

  • In reply to QC:

    Hi Christian,

    I have joined the mentioned group, thread can be moved.

     

    thnaks

  • In reply to Martin Zmeskal:

    Hi All,

     

    Re-instaling sophos of the end-point with non-existing folder structure has fixed the problem. I wish I had done it first, it would of saved me a lot of time.

    Thank you all for previous sugestions.