Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 3 answers
  • Subscribers 4 subscribers
  • Views 18033 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spotty.exe (Helper for Squeezebox) new spotify protocol detected as virus

Gordus Arrechus

Hi, I need to install a new way to stream spotify to my squeezebox players due to changes that spotify is implementing.

 

There is a solution that consist on install a plugin from a third party, the plugin runs OK on Linuz but on windows my sophos Endpoint says is a virus.

this is the message I receive:

20170724 010917 On-access scanner has denied access to location "C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe"
20170724 010917 File "C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe" belongs to virus/spyware 'Mal/EncPk-ZC'.

 

 

This is the version I'm running:

Endpoint security and control = 11.0.11 UTM
Support reference = 1.0.462

 

Appreciate your help to verify if the file is definitely a Virus and/or this is a false/positive.

 

Thanks very much in advance for your help



This thread was automatically locked due to age.
  • 0

    Hi,

    There are a few things you can do from here:

    Submit a sample of the file (C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe) to SophosLabs. https://community.sophos.com/kb/en-us/11490. You will get a response advising if this is/isn't a false positive.  If it is a false positive the detection data will be updated and you're fixed.

    This process shouldn't take long.

    If you want/need to do something in the short term you could:

    Upload the file to https://www.virustotal.com/ if the consensus is that the file is safe you could make an exclusion in SAV for the file.

    This could be the full path:
    C:\ProgramData\Squeezebox\Cache\InstalledPlugins\Plugins\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe
    or just
    spotty.exe 

    The first being more secure/specific.

    Once the Labs have updated the detection you can remove the exclusion.

    Obviously making the exclusion before SophosLabs has given you feedback carries some risk but this could be mitigated by the VirusTotal scan.  

    I hope this helps you make a decision.

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak, thanks for the info.

     

    I did the check on virus total and it shows that sophos is detecting it as a virus (see the report attached).

     

    I tried to add the exception to the path and the file and sophos keeps deleting it.

     

    Appreciate your help on what other steps I should take.

     

    thanks in advance for your kind help.

     

    Cheers

    Spotty scan at Virustotal.pdf

     

  • 0 in reply to Gordus Arrechus

    Given that report, I think I would stop the SAVService and send the file to Sophos Labs using the form I previously mentioned.

    Labs should fix this pretty quickly given the sample.

    Regards,

    Jak

  • 0 in reply to jak

    Hi, sorry for the late reply.

     

    I did upload to Sophos using the form but no news yet.

     

    Is there something else I can do?

     

    Thanks in advance for your help.

     

    Cheers

  • 0

    I have this same problem. It has also been submitted to Sophos as a false positive by Michael Herger (user mherger) who supports this exe file but it is still detected as false positive.

    On 1st September 2017...

    Malware cleaned up: 'Mal/EncPk-ZC' at 'C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe'

     

    There seems to be no way around this!

    Any help appreciated.

     

  • 0 in reply to Robert Duck

    Well in the meantime, you could make a file exclusion for spotty.exe or probably more secure, include the full path, i.e.:
    C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe

    This is assuming it is a false positive.  

    Uploading the file/hash to https://www.virustotal.com/#/home/upload might give you some confidence if it is or isn't.  You may need to disable on-access scanning or make the file exclusion in order to make the submission.

     

     

  • 0 in reply to jak

    jak said:

    Well in the meantime, you could make a file exclusion for spotty.exe or probably more secure, include the full path, i.e.:
    C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe

    This is assuming it is a false positive.  

    Uploading the file/hash to https://www.virustotal.com/#/home/upload might give you some confidence if it is or isn't.  You may need to disable on-access scanning or make the file exclusion in order to make the submission.

    I have already tried making file exclusions for both spotty.exe and C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe 

    Neither exclusion prevents Sophos from removing spotty.exe so I will submit the file and hopefully you will be able to whitelist it or otherwise prevent Sophos from removing it.

     

    Many thanks

  • 0 in reply to jak

    jak said:

    Well in the meantime, you could make a file exclusion for spotty.exe or probably more secure, include the full path, i.e.:
    C:\Users\Robert\Downloads\Spotty\Spotty\Bin\MSWin32-x86-multi-thread\spotty.exe

    This is assuming it is a false positive.  

    Uploading the file/hash to https://www.virustotal.com/#/home/upload might give you some confidence if it is or isn't.  You may need to disable on-access scanning or make the file exclusion in order to make the submission.

    I uploaded the file to virus total and 60 out of 62 antivirus engines found it to be clean. Is there any way I can submit the file to Sophos so it can be excluded from detection as a positive?

     

    Thank you

Unfiltered HTML