This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus/spyware 'Troj/Badsrc-M

I am getting the following alerts for a few machines:

Virus/spyware 'Troj/Badsrc-M' has been detected in "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\pagefile.sys". Cleanup failed.

 

I believe this to be a false positive, but am not sure, and further, if it is a false positive I don't know how to make it go away. Any help is greatly appreciated.



This thread was automatically locked due to age.
  • Hello Kris Mortensen,

    you might occasionally encounter this and a few other (false positive) detections with shadow copies of the pagefile or "database" (e.g. *.edb) files. These can safely be ignored acknowledged. From the console select the affected endpoints, right-click, Resolve alerts and errors ... → select and Acknowledge. Or from the local GUI's Quarantine manager select and Clear from list.

    Christian

  • Thanks for getting back with me! I am hoping for something besides a manual acknowledge; I would be spending a lot more time in the console than I really want to at that point. I see your point about not ignoring them, but at this point they are all false positives and because of that I need to ignore them. Is there a better way to tune the false positives out?

  • Hello ,

    not really. Do you have that many alerts? I have some 5000 endpoints and I had not more than a handful of these alerts in the last year. Guess it'd be safe to add an exclusion for the shadow copy (like \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\pagefile.sys), can't say if it'd help.

    Christian

  • Hi Kris

    Did you ever find a solution to this? I also have this problem