This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus DSME keeps apearing on different endpoints with identical location details.

Hello. A strange thing is happening in my sophos management console (v. 5.4.1). A virus alert appeared some days ago. Item detected was DSME. I couldnt clean it up from Management console, but the strange thing was that next day the same virus alert was coming from another end-user and details of the location of this virus were the same of the the user from previous day. Example pc1 showing DSME virus with location c:\user\user1\appdata\local\google\chrome\userdata\default\cache\f_00316e. Next day pc2 is showing same alert with same location which is not possible because the user from first endpoint pc1 never used pc2. It keeps re-apearing on diferent endpoints each day. Did anybody come across someting like this? Google couldnt help me. Any sugestions to fixing this are welcome.



This thread was automatically locked due to age.
Parents
  • Have you checked to see if the folder structure exists even though the user has never used the computer?

    Respectfully, 

     

    Badrobot

     

  • hi badrobot,

     

    finally i was able to check the folder structure on the original pc of the user and the answer is no , the folder structure is diffent. the last item in cache is not present. full pc scan did not find anything. and im still getting reports of virus on diferent end-users from the non-existing folder structure. ip addresses are diffent for each end-user (IP's are reserved in DHCP). what i also find a bit strange is that the end-point is always replaced with another endpoint. the list of infected endpoints is not getting bigger. its alwasy just one pc that shows this DSME virus. I hope i explained it clear enough

  • Hello Martin Zmeskal,

    this is, as Bob has mentioned, an Endpoint question. Please join the mentioned group so that this thread can be moved.

    the end-point is always replaced with another endpoint
    This suggests that badrobot is right and one or more cloned endpoints are involved. Please check the Computer details, under Items detected in the History section to the right there's the Username. This should indicate the computer where the detection actually occurred.

    Christian   

  • Hi Christian,

    I have joined the mentioned group, thread can be moved.

     

    thnaks

  • Hi All,

     

    Re-instaling sophos of the end-point with non-existing folder structure has fixed the problem. I wish I had done it first, it would of saved me a lot of time.

    Thank you all for previous sugestions.

Reply Children
No Data