Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 10375 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA's in Shadowcopy on Windows server 2008

Paul McCherry

I am getting hundreds of PUA's errors within Shadowcopy on a windows Server 2008 and trying to work out how to delete them.

 

I have tried disabling and removing shadowcopy on the affected drives but this has had no effect.

 

Any Ideas ?



This thread was automatically locked due to age.
  • 0

    What are the names of the PUAs?  Could they be something you could just authorize?

    Regards,

    Jak

  • 0 in reply to jak

    Mainly files that are infected with the following:-

    Troj/Caphaw-AN

    Troj/CeeInj-N

     

    and files such as 

    Path: \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Users Shared Folders\StephenT\AdwCleaner\Quarantine\C\Users\StephenT\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir

    What was detected: Generic PUA JL

  • 0 in reply to Paul McCherry

    OK, so there is a mix of malware (Troj/Caphaw-AN, Troj/CeeInj-N) and non-specific Potentially Unwanted Applications (PUAs) in the form of "Generic PUA JL".

    I'm guessing this didn't help: https://community.sophos.com/kb/en-us/114422 ?

    I was think it you just had maybe things like pskill, psexec, PUAs you could just authorize them in policy.

    Regards,

    Jak

  • 0 in reply to Paul McCherry

    Hello Paul,

    \Users Shared Folders\StephenT\AdwCleaner\Quarantine ... DaemonProcess.exe.vir
    hm, something AdwCleaner thought it has to put in quarantine? Are the User Shared Folders (or perhaps some folder on the path) excluded from on-access scanning?

    Christian

  • 0 in reply to QC

    This isnt actually in the uers sharedfolders its in a shadowcopy version of it which the user hasnt got access to,

     

    My guess is that Sophos hasnt got write access to iy either hence it is failing remove.

  • 0 in reply to Paul McCherry

    Hello Paul,

    the user hasn't got access to
    I was thinking of on-access scanning on the server. The files must have existed in their original location so I'd expect a corresponding detection there. If they are removed subsequent shadow copies should be clean. Recurring detections (on other copies) would suggest that the offending files are still there.
    And yes, they can't be removed (other than by destroying the copy). I assume it's different copies each time.

    Christian

Unfiltered HTML