Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 7224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Doesn't Remove 'C2/Generic-B' but Malwarebytes Does?

Kyle Parrish

I have come across this many times.

We receive an alert that 'C2/Generic-B' was detected but nothing was done.

Run a full Sophos scan and says it is "Not Cleanable"

In the meantime, the device is likely talking to Russia and sniffing through the computer.

We can then run Malwarebytes and it cleans everything up...

Anyone else experience this? Seems a little counter-productive to me.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Kyle Parrish,

    first of all, please see the analysis for C2/Generic-B and the Dealing with ... article. You'll notice that the former was last changed almost 2 years ago, the latter one. Note the cautious wording. I've commented on MTD (the underlying component) around the same time.

    in the meantime
    quite some time has passed from the point of detection until you react, unless the malware is transferring a large customer database or similar it has already done what it should do. Nevertheless the first response should be to disconnect the device from the network,  at least the WAN. Instead of waiting for the scan to complete it's the scan that can wait.

    many times
    this begs the question - why many times?     How come? This kind of malware doesn't spontaneously arise out of nothing.

    Malwarebytes [...] cleans everything up...
    I'm not Sophos and I'm neither defending Sophos nor disparage Malwarebytes. If Malwarebytes (it's them who say in their home page Stop paying for your old, clunky antivirus) constantly does what you need why don't you use it instead of Sophos? Apparently there is "something", have you ever tried to obtain a sample and submit it to Sophos?
    Generally one can be more aggressive in case of confirmed or very likely infections. Some vendors refrain from releasing specialized tools or detections in response to "popular" threats, others have a different approach. Each strategy has its pros and cons.

    Christian

     

Reply
  • 0

    Hello Kyle Parrish,

    first of all, please see the analysis for C2/Generic-B and the Dealing with ... article. You'll notice that the former was last changed almost 2 years ago, the latter one. Note the cautious wording. I've commented on MTD (the underlying component) around the same time.

    in the meantime
    quite some time has passed from the point of detection until you react, unless the malware is transferring a large customer database or similar it has already done what it should do. Nevertheless the first response should be to disconnect the device from the network,  at least the WAN. Instead of waiting for the scan to complete it's the scan that can wait.

    many times
    this begs the question - why many times?     How come? This kind of malware doesn't spontaneously arise out of nothing.

    Malwarebytes [...] cleans everything up...
    I'm not Sophos and I'm neither defending Sophos nor disparage Malwarebytes. If Malwarebytes (it's them who say in their home page Stop paying for your old, clunky antivirus) constantly does what you need why don't you use it instead of Sophos? Apparently there is "something", have you ever tried to obtain a sample and submit it to Sophos?
    Generally one can be more aggressive in case of confirmed or very likely infections. Some vendors refrain from releasing specialized tools or detections in response to "popular" threats, others have a different approach. Each strategy has its pros and cons.

    Christian

     

Children
No Data
Unfiltered HTML