We constantly have warnings about remcomsvc.exe.
We know the software so it's a bit of a false positive for us. So to save alerts, we placed exceptions under antivirus (C:\Windows\System32\RemComSvc.exe) and also authorized the PUA RemCom under Authorization.
We still keep getting email alerts from loads of our clients. It looks like the exceptions we put in don't work. Any ideas?
regards,
Louis
Hi Louis-M
I am also interested to know whether exclusions are not working on a few of the devices or it's not working on any of the devices. Please make sure that all the devices have been updated with the latest policy push from enterprise console.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Email Alerts below (on access & Weekly scan):
User: OURDOMAIN\ouruser
Scan: On-access
Machine: PC696
File "C:\Windows\System32\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).
User: NT AUTHORITY\SYSTEM
Scan: Weekly Scan (WEDS 0100hrs)
Machine: PC646
File "C:\Windows\SysWOW64\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).
Adware or PUA 'RemCom' has been detected.
Hi Louis-M
Please suggest on my previous question whether you are receiving alerts for a few systems or all the systems.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Hello Louis-M,
first of all, you shouldn't use exclusions unless the integrity of the files is sufficiently safeguarded by some other means or the exclusion is absolutely necessary. Authorization is the proper way.
I haven't seen that exclusions or authorizations aren't honoured (BTW: on-access and on-demand/scheduled scans have independent exclusions). The affected endpoints do comply with the AV&HIPS policy?
Christian
The exclusions were put in as an attempt to stop the alerts. I didn't think we needed them at the time but put them in to see if they made any difference. I've now taken them out.
So all that we have is the authorisation enabled as shown.
The pc's affected (and there are more) do comply with the policy set.
On a computer you are still getting an alert on, can you:
1. Run;
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe" -pua "C:\Windows\System32\RemComSvc.exe"
for example. Is it detected? Can you provide the output?
2. Can you attach:
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"
from that computer.
Regards,
Jak
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe" -pua "C:\Windows\System32\RemComSvc.exe"
Sophos Anti-Virus
Version 1.01.1 [Win32/Intel]
Virus data version 5.67, August 2019
Includes detection for 40777751 viruses, trojans and worms
Copyright (c) 1989-2019 Sophos Limited. All rights reserved.
BY USING THIS TOOL YOU AGREE THAT YOU ARE FULLY BOUND BY, AND SUBJECT TO, ALL
OF THE OBLIGATIONS CONTAINED IN THE SOPHOS END USER LICENCE AGREEMENT ("EULA")
AND THE ONLY RIGHTS AND/OR REMEDIES AVAILABLE TO YOU (WITH RESPECT TO YOUR USE
OF THIS TOOL) ARE THOSE RIGHTS AND REMEDIES THAT ARE STATED IN THE EULA
(a copy of which is reproduced at : http://www.sophos.com/legal/eula.html).
System time 08:46:16, System date 18 September 2019
Command line qualifiers are: -pua
IDE directory is: C:\Program Files (x86)\Sophos\Sophos Anti-Virus
Using IDE file bank-gyq.ide
Using IDE file blada-vf.ide
Using IDE file vb-kke.ide
Using IDE file encdo-mr.ide
Using IDE file pdfu-hoq.ide
Using IDE file phis-frx.ide
Using IDE file zbot-nls.ide
Using IDE file azoru-bi.ide
Using IDE file poebo-nm.ide
Using IDE file blada-vn.ide
Using IDE file azoru-bk.ide
Using IDE file hawke-wb.ide
Using IDE file docd-vad.ide
Using IDE file dneti-as.ide
Using IDE file hawke-wc.ide
Using IDE file msil-moq.ide
Using IDE file mdro-iut.ide
Using IDE file fare-ima.ide
Using IDE file fare-imb.ide
Using IDE file trikb-ef.ide
Using IDE file fare-imc.ide
Using IDE file vbinj-qt.ide
Using IDE file delf-heo.ide
Using IDE file dneti-aw.ide
Using IDE file trikb-eg.ide
Using IDE file azoru-bl.ide
Using IDE file blada-vw.ide
Using IDE file tibia-u.ide
Using IDE file vundo-ci.ide
Using IDE file dneti-bh.ide
Using IDE file docd-vdp.ide
Using IDE file mocrt-f.ide
Using IDE file blada-vx.ide
Using IDE file pdfu-hpo.ide
Using IDE file ryuk-p.ide
Using IDE file bsymem-a.ide
Using IDE file formb-qj.ide
Using IDE file vbinj-qu.ide
Using IDE file blada-wc.ide
Using IDE file keylo-xf.ide
Using IDE file mocrt-g.ide
Using IDE file rtfd-aev.ide
Using IDE file mdro-iuz.ide
Using IDE file mdro-iva.ide
Using IDE file fare-int.ide
Using IDE file docph-hp.ide
Using IDE file godrop-l.ide
Using IDE file azoru-bo.ide
Using IDE file vb-kle.ide
Using IDE file formb-qk.ide
Using IDE file remco-kx.ide
Using IDE file xtbl-da.ide
Using IDE file rans-foy.ide
Using IDE file steal-ya.ide
Using IDE file bat-gm.ide
Using IDE file dneti-bq.ide
Using IDE file rans-foz.ide
Using IDE file dneti-bt.ide
Using IDE file msil-mpn.ide
Using IDE file formb-qm.ide
Using IDE file blada-wk.ide
Using IDE file inje-ely.ide
Using IDE file sodin-am.ide
Using IDE file elecfi-a.ide
Using IDE file rtfd-afm.ide
Using IDE file age-bcil.ide
Using IDE file kpot-a.ide
Using IDE file blada-wt.ide
Using IDE file inje-emb.ide
Using IDE file darkc-is.ide
Using IDE file msil-mpy.ide
Using IDE file rtfd-afo.ide
Using IDE file trikb-eh.ide
Using IDE file ryuk-t.ide
Using IDE file hawke-ws.ide
Using IDE file dneti-ce.ide
Using IDE file phis-fuk.ide
Using IDE file mdro-ivn.ide
Using IDE file delf-hev.ide
Using IDE file dneti-ci.ide
Using IDE file encdo-mw.ide
Using IDE file formb-qs.ide
Using IDE file gozi-sg.ide
Using IDE file spy-axx.ide
Using IDE file mocrt-j.ide
Using IDE file xtbl-ds.ide
Using IDE file konus-d.ide
Using IDE file inje-emm.ide
Using IDE file msili-bk.ide
Using IDE file xtbl-dt.ide
Using IDE file hawke-wx.ide
Using IDE file fare-ipy.ide
Using IDE file delf-hey.ide
Using IDE file veil-ah.ide
Using IDE file php-cr.ide
Using IDE file msili-bv.ide
Using IDE file inje-emr.ide
Using IDE file docd-vjf.ide
Using IDE file dneti-dl.ide
Using IDE file formb-qy.ide
Using IDE file rtfd-agd.ide
Using IDE file trick-so.ide
Using IDE file rtfd-agf.ide
Using IDE file fare-iqp.ide
Using IDE file fare-iqq.ide
Using IDE file inje-emt.ide
Using IDE file azoru-by.ide
Using IDE file netwi-nw.ide
Using IDE file zbot-nng.ide
Using IDE file remco-lf.ide
Using IDE file recam-ep.ide
Using IDE file dofoi-gd.ide
Using IDE file banl-csq.ide
Using IDE file spy-aya.ide
Using IDE file inje-enb.ide
Using IDE file teslaa-h.ide
Using IDE file rans-fpo.ide
Using IDE file blada-yp.ide
Using IDE file miner-up.ide
Using IDE file atmrip-b.ide
Using IDE file zbot-nnz.ide
Using IDE file steal-yv.ide
Using IDE file drid-abx.ide
Using IDE file msil-msc.ide
Using IDE file docd-vlz.ide
Using IDE file dneti-el.ide
Using IDE file fare-ist.ide
Using IDE file phis-fxg.ide
Using IDE file trikb-ek.ide
Using IDE file remco-li.ide
Using IDE file dneti-em.ide
Using IDE file encdo-mz.ide
Using IDE file hupig-xh.ide
Using IDE file puma-y.ide
Using IDE file orcusr-f.ide
Using IDE file truebo-c.ide
Using IDE file remco-lk.ide
Using IDE file apost-o.ide
Using IDE file lokib-dw.ide
Using IDE file andro-tv.ide
Using IDE file autinj-j.ide
Using IDE file miner-vb.ide
Using IDE file blada-zj.ide
Using IDE file bifro-bm.ide
Using IDE file grmasi-a.ide
Using IDE file netwi-nz.ide
Using IDE file wont-afr.ide
Using IDE file formb-by.ide
Using IDE file fare-ium.ide
Using IDE file blada-zz.ide
Using IDE file dldr-sd.ide
Using IDE file msil-mtj.ide
Using IDE file fare-iuo.ide
Using IDE file nanoc-xj.ide
Using IDE file docd-vob.ide
Using IDE file msil-mtl.ide
Using IDE file phobo-g.ide
Using IDE file vb-kme.ide
Using IDE file keylo-xh.ide
Using IDE file nukesp-d.ide
Using IDE file teslaa-k.ide
Using IDE file inje-eou.ide
Using IDE file pirpi-e.ide
Using IDE file darkc-it.ide
Using IDE file urela-ap.ide
Using IDE file bat-gp.ide
Using IDE file rans-fqc.ide
Using IDE file netwi-oa.ide
Using IDE file msil-mum.ide
Using IDE file zbot-noz.ide
Using IDE file fare-iwk.ide
Using IDE file gozi-su.ide
Using IDE file keylo-xk.ide
Using IDE file dofoi-ge.ide
Using IDE file batdrp-x.ide
Using IDE file upatr-yv.ide
Using IDE file zbot-npe.ide
Using IDE file msil-muu.ide
Using IDE file vb-kml.ide
Using IDE file msil-muv.ide
Using IDE file formb-rt.ide
Using IDE file trick-sq.ide
Using IDE file hawke-ya.ide
Using IDE file blada-af.ide
Using IDE file dneti-gz.ide
Using IDE file dofoi-gg.ide
Using IDE file emot-bgf.ide
Using IDE file emot-bgi.ide
Using IDE file emot-bgj.ide
Using IDE file formb-rv.ide
Using IDE file azoru-cg.ide
Using IDE file emot-bgl.ide
Using IDE file age-bcpy.ide
Quick Scanning
>>> PUA 'RemCom' (of type Other) found in file C:\Windows\System32\RemComSvc.exe
Memory was swept.
Registry was swept.
1 file swept in 54 seconds.
No viruses were discovered.
1 PUA was discovered.
Ending Sophos Anti-Virus.
C:\Windows\system32>
<?xml version="1.0"?>
<configuration prodver="102" version="6" policy="1">
<components>
<configurationManager>
<security>
<roles>
<role name="SophosAdministrator"><name>SophosAdministrator</name><SID>S-1-5-18</SID></role>
<role name="SophosPowerUser"><name>SophosPowerUser</name></role>
<role name="SophosUser"><name>SophosUser</name></role>
</roles>
<policies/>
</security>
</configurationManager>
<logging>
<logSources>
<settings/>
</logSources>
<workstation><consumers>
<item itemName="EventLog">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
</settings>
</item>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="Virus">101</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">101</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
<messageFields>
<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
<item itemName="SNMPMessaging">
<settings>
<filtering><item itemName="Virus">101</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">101</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item><item itemName="DataControl">101</item><item itemName="DeviceControl">101</item></filtering>
</settings>
</item>
</consumers>
</workstation>
</logging>
<consumerFactory>
<item itemName="SNMPMessaging">
</item>
</consumerFactory>
<ICManagement><ICfixedExclusions/>
<cscan><scanKernelMemory>true</scanKernelMemory></cscan>
<cookie>-1025938176</cookie><asyncOnClose>false</asyncOnClose></ICManagement>
<DCManagement>
</DCManagement>
<sipsManagement><runtimeBehaviour>
<bufferOverflowProtection><enabled>true</enabled><allowActions>true</allowActions></bufferOverflowProtection>
<resourceShield>
<suspicious><enabled>true</enabled><allowActions>false</allowActions></suspicious>
<enabled>true</enabled></resourceShield>
<enabled>true</enabled></runtimeBehaviour>
</sipsManagement>
<swiManagement><exclusions policy="0"/>
<enabled>true</enabled><sxlServerList>000102030405060708</sxlServerList></swiManagement>
<bhoManagement><reputationEnabled>false</reputationEnabled><reputationEnabledForOnDemandScans>true</reputationEnabledForOnDemandScans><reputationMode>0</reputationMode><reputationAction>0</reputationAction></bhoManagement>
<DataControl>
<settings><enabled>false</enabled></settings>
<processExclusions/><desktopMessaging>
<item itemName="block" inherits="false"><messageType>block</messageType><messageString></messageString><displayRule>true</displayRule></item><item itemName="overridableBlock" inherits="false"><messageType>overridableBlock</messageType><messageString></messageString><displayRule>true</displayRule></item></desktopMessaging>
<rules>
</rules>
</DataControl>
<DeviceControlManager><settings>
<alertOnly>true</alertOnly><desktopMessage></desktopMessage><enabled>true</enabled></settings>
<rules>
<item itemName="device1" inherits="false"><value>removableStorage</value><category>storage</category><access>block</access><exemptions></exemptions></item><item itemName="device2" inherits="false"><value>opticalDrive</value><category>storage</category><access>readOnly</access><exemptions></exemptions></item><item itemName="device3" inherits="false"><value>floppyDrive</value><category>storage</category><access>readOnly</access><exemptions></exemptions></item><item itemName="device4" inherits="false"><value>encryptedStorage</value><category>storage</category><access>block</access><exemptions></exemptions></item><item itemName="device5" inherits="false"><value>modem</value><category>network</category><access>allowed</access><exemptions></exemptions></item><item itemName="device6" inherits="false"><value>wireless</value><category>network</category><access>allowed</access><exemptions></exemptions></item><item itemName="device7" inherits="false"><value>bluetooth</value><category>shortRange</category><access>allowed</access><exemptions></exemptions></item><item itemName="device8" inherits="false"><value>infrared</value><category>shortRange</category><access>allowed</access><exemptions></exemptions></item><item itemName="device9" inherits="false"><value>mtp</value><category>media</category><access>allowed</access><exemptions></exemptions></item></rules>
</DeviceControlManager>
<TamperProtectionManagement><settings>
<enabled>true</enabled><password>C41A647318F99198F14F624BCAE3C9C77E039C23</password></settings>
</TamperProtectionManagement>
<ApplicationManagement>
<Detection>
<enabled>false</enabled>
<detected></detected>
</Detection>
<AutoExclusions>
<enabled>false</enabled>
<onAccess>
<fileAndFolder></fileAndFolder>
<process></process>
</onAccess>
<onDemand>
<fileAndFolder></fileAndFolder>
</onDemand>
</AutoExclusions>
</ApplicationManagement>
<VEManager>
<settings>
<cloud>
<saviOptions><item itemName="SXLServerList"><name>SXLServerList</name><value>000102030405060708</value></item></saviOptions>
</cloud>
<scanner><saviOptions><item itemName="SXLDetectionLookups"><name>SXLDetectionLookups</name><value>1</value></item><item itemName="SampleSubmit"><name>SampleSubmit</name><value>0</value></item></saviOptions>
<onDemandSxlLookups>true</onDemandSxlLookups></scanner>
</settings>
</VEManager>
</components>
<TDE>
<processors>
<VEAdapter>
<settings>
<saviOptions/>
</settings>
</VEAdapter>
</processors>
</TDE>
<!--
Global messaging settings
-->
<notification>
<consumers>
<smtpConsumer>
<settings><server>
<authentication/>
<name>10.1.28.8</name></server>
<sender>sav@end.point</sender>
<replyTo></replyTo>
<from/>
<locale>1033</locale></settings>
</smtpConsumer>
<SNMPMessaging>
<settings><managerAddress></managerAddress><communityString></communityString><cleanCtrlChars>false</cleanCtrlChars></settings>
</SNMPMessaging>
<eeConsumer>
<settings>
<blackList/>
<whiteList/>
</settings>
</eeConsumer>
</consumers>
</notification>
<!--
Product information
-->
<productInfo>
<productName/>
<productStatus/><firstInstallDate year="2017" month="12" day="18" hour="10" minute="43" second="53"/><updateDate year="2019" month="9" day="18" hour="8" minute="26" second="31"/></productInfo>
<!--
Quarantine manager
-->
<quarantineManager>
<actions>
<user/>
<powerUser/>
<administrator/>
</actions><authorisedList policy="0"><item>NirCmd</item><item>RemCom</item></authorisedList>
<authorisedFileList policy="0" xml:space="preserve"/>
</quarantineManager>
<!--
Authorisation list manager
-->
<authorisationListManager><authorisedAppCList policy="0"/>
<blockedAppCList policy="0"><item>iTunes</item><item>Winamp</item></blockedAppCList>
<blockedAppCCategoryList policy="0"/>
</authorisationListManager>
<!--
Concrete on-demand scan configurations
-->
<scanJobs>
<!--
Default scan - scan this computer
-->
<!--
Cleanup scan - scan computer with automatic cleanup for malware
-->
<scan id="{20F676DB-F174-441E-A6D1-7395CF3A8FFC}" ScanType="SystemScan">
<displayInfo>
<description policy="0">
<object ind="0">
<item type="marker" ind="0">ResStr</item>
<item type="unsigned" ind="1">109</item>
</object>
</description>
</displayInfo>
<configuration>
<template>OnDemandScanTemplate</template>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
<filename policy="0" dir="LOCAL_APPDATA">Sophos\Sophos Anti-Virus\logs\Cleanup scan.txt</filename>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering/>
<messageFields>
<recipients/>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<scanManager/>
<instanceManager/>
<TDE>
<processors>
<item itemName="SOCDecomposer">
<settings/>
</item>
<item itemName="RawFSDecomposer">
<settings/>
</item>
<item itemName="DriveDecomposer">
<settings/>
</item>
<item itemName="FileAttributeFilter">
<settings>
<attributeList/>
</settings>
</item>
<item itemName="ExtensionFilter">
<settings>
<extensionList/>
</settings>
</item>
<item itemName="ExclusionFilterProcessor">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="FSDecomposerProcessor">
<settings></settings>
</item>
<item itemName="ScanPreprocessor">
<!-- consider disabling cache processing for the cleanup scan -->
<settings></settings>
</item>
<item itemName="VEAdapter">
<settings>
<general>
<disinfect>true</disinfect>
<puaRemoval>false</puaRemoval>
<mcmRemoval>true</mcmRemoval>
<scanVdlArchives>false</scanVdlArchives>
</general>
<stopScan/>
<saviOptions>
<item itemName="PuaDetection">
<name>PuaDetection</name>
<value>1</value>
</item>
<item itemName="DetectSecondaries">
<name>DetectSecondaries</name>
<value>1</value>
</item>
<!-- Currently, the ThreatAccumulation option must be enabled in order
to detect secondary PUA components
-->
<item itemName="ThreatAccumulation">
<name>ThreatAccumulation</name>
<value>1</value>
</item>
<item itemName="ApplicationControl">
<name>ApplicationControl</name>
<value>0</value>
</item>
</saviOptions>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<move/>
<delete/>
<suspiciousFiles>
<move/>
<delete/>
</suspiciousFiles>
</settings>
</item>
<item itemName="ScanPostprocessor">
<settings></settings>
</item>
</processors>
</TDE>
</configuration>
<areas>
<object ind="0">
<item type="marker" ind="0">SOCollection</item>
<item type="unsigned" ind="1">5</item>
<object ind="2">
<item type="marker" ind="0">SKernel</item>
<item type="string" ind="1">Memory</item>
</object>
<object ind="3">
<item type="marker" ind="0">SMemory</item>
<item type="string" ind="1">Memory</item>
</object>
<object ind="4">
<item type="marker" ind="0">SRegistry</item>
<item type="signed" ind="1">1</item>
</object>
<object ind="5">
<item type="marker" ind="0">SRawFS</item>
<item type="signed" ind="1">1</item>
</object>
<object ind="6">
<item type="marker" ind="0">SDrive</item>
<item type="signed" ind="1">3</item>
<item type="string" ind="2"/>
<!-- types : fixed_mbr, fixed_pbr & fixed -->
<item type="unsigned" ind="3">11</item>
</object>
</object>
</areas>
</scan><scan id="{8A9BFE72-17F5-46B2-8C53-2CE289A1057F}" ScanType="EnterpriseScan">
<displayInfo>
<description>
<object ind="0"><item type="marker" ind="0">CStr</item><item type="string" ind="1">Weekly Scan (WEDS 0100hrs)</item></object></description>
</displayInfo>
<configuration><template>OnDemandScanTemplate</template>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
<filename dir="COMMON_APPDATA">\Sophos\Sophos Anti-Virus\logs\Weekly Scan (WEDS 0100hrs).txt</filename></settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering/>
<messageFields>
<recipients/>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<scanManager/>
<instanceManager/>
<TDE>
<processors>
<item itemName="SOCDecomposer">
<settings/>
</item>
<item itemName="RawFSDecomposer">
<settings/>
</item>
<item itemName="DriveDecomposer">
<settings/>
</item>
<item itemName="FileAttributeFilter">
<settings>
<attributeList/>
</settings>
</item>
<item itemName="ExtensionFilter">
<settings>
<extensionList/>
</settings>
</item>
<item itemName="ExclusionFilterProcessor">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="FSDecomposerProcessor">
<settings></settings>
</item>
<item itemName="ScanPreprocessor">
<settings></settings>
</item>
<item itemName="VEAdapter">
<settings>
<general><disinfect>true</disinfect><puaRemoval>false</puaRemoval><mcmRemoval>true</mcmRemoval><scanVdlArchives>false</scanVdlArchives></general>
<stopScan/>
<saviOptions><item itemName="ApplicationControl"><name>ApplicationControl</name><value>0</value></item><item itemName="PuaDetection"><name>PuaDetection</name><value>1</value></item><item itemName="DetectSecondaries"><name>DetectSecondaries</name><value>1</value></item><item itemName="BehaviourSuspicious"><name>BehaviourSuspicious</name><value>1</value></item></saviOptions>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<suspiciousFiles><delete>false</delete><move>false</move></suspiciousFiles>
<delete>false</delete><move>false</move></settings>
</item>
<item itemName="ScanPostprocessor">
<settings></settings>
</item>
</processors>
</TDE>
<scanSettings><minimiseScanImpact>true</minimiseScanImpact></scanSettings></configuration>
<areas>
<object ind="0"><item type="marker" ind="0">SOCollection</item><item type="unsigned" ind="1">5</item><object ind="2"><item type="marker" ind="0">SKernel</item><item type="string" ind="1">Memory</item></object><object ind="3"><item type="marker" ind="0">SMemory</item><item type="string" ind="1">Memory</item></object><object ind="4"><item type="marker" ind="0">SRegistry</item><item type="signed" ind="1">1</item></object><object ind="5"><item type="marker" ind="0">SRawFS</item><item type="signed" ind="1">1</item></object><object ind="6"><item type="marker" ind="0">SDrive</item><item type="signed" ind="1">3</item><item type="string" ind="2"/><item type="unsigned" ind="3">11</item></object></object></areas>
</scan>
<scan id="{F86EBCD5-687E-40B1-800D-021062361F6C}" ScanType="SystemScan">
<displayInfo>
<description policy="0">
<object ind="0">
<item type="marker" ind="0">ResStr</item>
<item type="unsigned" ind="1">104</item>
</object>
</description>
</displayInfo>
<configuration><template>OnDemandScanTemplate</template>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
<filename policy="0" dir="LOCAL_APPDATA">Sophos\Sophos Anti-Virus\logs\Scan my computer.txt</filename>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering/>
<messageFields>
<recipients/>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<scanManager/>
<instanceManager/>
<TDE>
<processors>
<item itemName="SOCDecomposer">
<settings/>
</item>
<item itemName="RawFSDecomposer">
<settings/>
</item>
<item itemName="DriveDecomposer">
<settings/>
</item>
<item itemName="FileAttributeFilter">
<settings>
<attributeList/>
</settings>
</item>
<item itemName="ExtensionFilter">
<settings>
<extensionList/>
</settings>
</item>
<item itemName="ExclusionFilterProcessor">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="FSDecomposerProcessor">
<settings></settings>
</item>
<item itemName="ScanPreprocessor">
<settings></settings>
</item>
<item itemName="VEAdapter">
<settings>
<general>
<disinfect>false</disinfect>
<mcmRemoval>false</mcmRemoval>
</general>
<stopScan/>
<saviOptions>
<item itemName="PuaDetection">
<name>PuaDetection</name>
<value>1</value>
</item>
<item itemName="DetectSecondaries">
<name>DetectSecondaries</name>
<value>1</value>
</item>
<!-- Currently, the ThreatAccumulation option must be enabled in order
to detect secondary PUA components
-->
<item itemName="ThreatAccumulation">
<name>ThreatAccumulation</name>
<value>1</value>
</item>
<item itemName="ApplicationControl"><name>ApplicationControl</name><value>0</value></item></saviOptions>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<move/>
<delete/>
<suspiciousFiles>
<move/>
<delete/>
</suspiciousFiles>
</settings>
</item>
<item itemName="ScanPostprocessor">
<settings></settings>
</item>
</processors>
</TDE>
</configuration>
<areas>
<object ind="0">
<item type="marker" ind="0">SOCollection</item>
<item type="unsigned" ind="1">5</item>
<object ind="2">
<item type="marker" ind="0">SKernel</item>
<item type="string" ind="1">Memory</item>
</object>
<object ind="3">
<item type="marker" ind="0">SMemory</item>
<item type="string" ind="1">Memory</item>
</object>
<object ind="4">
<item type="marker" ind="0">SRegistry</item>
<item type="signed" ind="1">1</item>
</object>
<object ind="5">
<item type="marker" ind="0">SRawFS</item>
<item type="signed" ind="1">1</item>
</object>
<object ind="6">
<item type="marker" ind="0">SDrive</item>
<item type="signed" ind="1">3</item>
<item type="string" ind="2"/>
<!-- types : fixed_mbr, fixed_pbr & fixed -->
<item type="unsigned" ind="3">11</item>
</object>
</object>
</areas>
</scan>
</scanJobs>
<!--
Scan summaries
-->
<scanSummaries policy="0"><summary id="{F86EBCD5-687E-40B1-800D-021062361F6C}">
<lastTimeRun year="2019" month="9" day="13" hour="7" minute="58" second="1"/>
<lastState>aborted</lastState>
<lastRunBy>S-1-5-21-1322713655-443559718-903097961-2994</lastRunBy>
<neutralisedThreats>0</neutralisedThreats>
<liveThreats>0</liveThreats>
<errors>0</errors>
<itemsChecked>1</itemsChecked>
<logFilename>C:\Users\Louis\AppData\Local\Sophos\Sophos Anti-Virus\logs\Scan my computer.txt</logFilename>
<goldenFiles>0</goldenFiles>
<threatsInGoldenFiles>0</threatsInGoldenFiles>
</summary><summary id="{8A9BFE72-17F5-46B2-8C53-2CE289A1057F}">
<lastTimeRun year="2019" month="9" day="18" hour="0" minute="48" second="30"/>
<lastState>completed</lastState>
<lastRunBy>S-1-5-18</lastRunBy>
<neutralisedThreats>0</neutralisedThreats>
<liveThreats>0</liveThreats>
<errors>9</errors>
<itemsChecked>612408</itemsChecked>
<logFilename>C:\ProgramData\Sophos\Sophos Anti-Virus\logs\Weekly Scan (WEDS 0100hrs).txt</logFilename>
<goldenFiles>0</goldenFiles>
<threatsInGoldenFiles>0</threatsInGoldenFiles>
</summary></scanSummaries>
<!--
Scan templates
-->
<scanTemplates>
<webScanning><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
</settings>
</item>
</consumers>
</notification>
<TDE>
<processors>
<item itemName="VEAdapter">
<settings>
<general/>
<stopScan/>
<saviOptions/>
</settings>
</item>
<item itemName="WebScanningOperations">
<settings>
<mimeTypeList/>
<mode>asOnAccess</mode></settings>
</item>
</processors>
</TDE>
</webScanning>
<onAccessScan><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item></filtering>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item></filtering>
<messageFields>
<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<TDE>
<processors>
<item itemName="DriverOperations">
<settings><running>true</running><onReadCheck>true</onReadCheck><onRenameCheck>true</onRenameCheck><onWriteCheck>true</onWriteCheck><allowBootSectorAccess>false</allowBootSectorAccess><appControlRunning>true</appControlRunning><blockControlledApps>false</blockControlledApps><checkAll>false</checkAll></settings>
</item>
<item itemName="DriverExtensions">
<settings>
<extensionList/>
</settings>
</item>
<item itemName="FileExclusions">
<settings>
<exclusionList><item>C:Windows\System32\RemComSvc.exe</item><item>C:\Windows\SysWOW64\RemComSvc.exe</item></exclusionList>
</settings>
</item>
<item itemName="DriveExclusions">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="ProcessExclusions">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="GeneralExclusions">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="UserExclusions">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="ScanPreprocessor">
<settings/>
</item>
<item itemName="VEAdapter">
<settings>
<general><disinfect>true</disinfect><puaRemoval>false</puaRemoval><mcmRemoval>true</mcmRemoval><scanVdlArchives>false</scanVdlArchives></general>
<stopScan/>
<saviOptions><item itemName="PuaDetection"><name>PuaDetection</name><value>1</value></item><item itemName="ApplicationControl"><name>ApplicationControl</name><value>1</value></item><item itemName="BehaviourSuspicious"><name>BehaviourSuspicious</name><value>0</value></item></saviOptions>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<suspiciousFiles><delete>false</delete><move>false</move></suspiciousFiles>
<delete>false</delete><move>false</move></settings>
</item>
<item itemName="ScanPostprocessor">
<settings/>
</item>
</processors>
</TDE>
</onAccessScan>
<onDemandScan><instanceManager/>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
<messageFields>
<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<TDE>
<processors>
<item itemName="SOCDecomposer">
<settings/>
</item>
<item itemName="RawFSDecomposer">
<settings/>
</item>
<item itemName="DriveDecomposer">
<settings/>
</item>
<item itemName="FileAttributeFilter">
<settings>
<attributeList/>
</settings>
</item>
<item itemName="ExtensionFilter">
<settings>
<extensionList/>
<extensionNone>true</extensionNone><scanAllFiles>false</scanAllFiles></settings>
</item>
<item itemName="ExclusionFilterProcessor">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="FSDecomposerProcessor">
<settings/>
</item>
<item itemName="ScanPreprocessor">
<settings></settings>
</item>
<item itemName="VEAdapter">
<settings>
<general/>
<stopScan/>
<saviOptions/>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<suspiciousFiles/>
</settings>
</item>
<item itemName="ScanPostprocessor">
<settings></settings>
</item>
</processors>
</TDE>
</onDemandScan>
<rightClickScan><instanceManager/>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<rotation/>
<filtering/>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
<messageFields>
<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
</consumers>
</notification>
<TDE>
<processors>
<item itemName="SOCDecomposer">
<settings/>
</item>
<item itemName="RawFSDecomposer">
<settings/>
</item>
<item itemName="DriveDecomposer">
<settings/>
</item>
<item itemName="FileAttributeFilter">
<settings>
<attributeList/>
</settings>
</item>
<item itemName="ExtensionFilter">
<settings>
<extensionList/>
<extensionNone>true</extensionNone></settings>
</item>
<item itemName="ExclusionFilterProcessor">
<settings>
<exclusionList/>
</settings>
</item>
<item itemName="FSDecomposerProcessor">
<settings/>
</item>
<item itemName="ScanPreprocessor">
<settings></settings>
</item>
<item itemName="VEAdapter">
<settings>
<general/>
<stopScan/>
<saviOptions/>
</settings>
</item>
<item itemName="FileOpProcessor">
<settings>
<suspiciousFiles/>
</settings>
</item>
<item itemName="ScanPostprocessor">
<settings></settings>
</item>
</processors>
</TDE>
</rightClickScan>
<sipsMessaging><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
<messageFields>
<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
</consumers>
</notification>
</sipsMessaging>
<swiMessaging><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
</settings>
</item>
</consumers>
</notification>
</swiMessaging>
<dataControl><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="DataControl">90</item></filtering>
</settings>
</item>
<item itemName="FileLog">
<settings>
<filtering/>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="DataControl">101</item></filtering>
<messageFields>
<recipients/>
</messageFields>
</settings>
</item>
</consumers>
</notification>
</dataControl>
<deviceControl><notification>
<consumers>
<item itemName="DesktopConsumer">
<settings>
<filtering><item itemName="DeviceControl">101</item></filtering>
</settings>
</item>
<item itemName="FileLog">
<settings>
<filtering/>
</settings>
</item>
<item itemName="SmtpConsumer">
<settings>
<filtering><item itemName="DeviceControl">101</item></filtering>
<messageFields>
<recipients><item>Louis@OURDOMAIN.ORG.UK</item></recipients>
</messageFields>
</settings>
</item>
</consumers>
</notification>
</deviceControl>
<tamperProtection>
<notification>
<consumers>
<item itemName="FileLog">
<settings>
<filtering/>
</settings>
</item>
</consumers>
</notification>
</tamperProtection>
</scanTemplates>
<UserDefinedMessage><messageText>Abnormal activity has been detected on this computer.
Please contact IT Support on 01604 797040.</messageText><messageTextAppC></messageTextAppC></UserDefinedMessage>
<disabledDeviceListManager>
<disabledDevices/><alertOnlyDevices/>
</disabledDeviceListManager>
<deviceControlManager>
<wirelessConnections/>
<storageDevices/>
<mediaDevices/>
<whiteList/>
<compositeDeviceParentList/>
</deviceControlManager>
</configuration>
Hello Louis-M,
as far as I can tell the machine.xml looks like it should.
If, as I assume, this is from a computer that reported the detection I have no idea what could be the cause, especially as apparently the exclusion is in place. Exclusions and authorizations have no interrelation and are handled in quite different parts of the scanning workflow.
As you have Scan for Adware and PUAs enabled - could you perhaps test with a "known reputable" PUA like psexec.exe?
Christian
From my testing with PsExec, sav32cli will still detect the PUA even if it has been excluded. Scheduled scans will also detect Authorized PUAs in the local scan log but not report it back to SEC. I'm able to open up PsExec without a detection however.
I'd agree with Christian and say it's worth testing with a known reputable PUA such as PsExec. It may also be worth checking if a toast notification detection comes up if you double click to open "C:\Windows\System32\RemComSvc.exe".
You mentioned email alerts, do you also see these detections on Sophos Enterprise Console as an Adware or PUA detected alert? Since these emails are sent from the endpoint I'm wondering if something is being skipped here.
From my testing with PsExec, sav32cli will still detect the PUA even if it has been excluded. Scheduled scans will also detect Authorized PUAs in the local scan log but not report it back to SEC. I'm able to open up PsExec without a detection however.
I'd agree with Christian and say it's worth testing with a known reputable PUA such as PsExec. It may also be worth checking if a toast notification detection comes up if you double click to open "C:\Windows\System32\RemComSvc.exe".
You mentioned email alerts, do you also see these detections on Sophos Enterprise Console as an Adware or PUA detected alert? Since these emails are sent from the endpoint I'm wondering if something is being skipped here.
Hello MEric and Louis,
sav32cli will still detect the PUA even if it has been excluded
this is the expected behaviour. sav32cli.exe is stand-alone (once there was a self-contained version available), while it uses SAVXP's engine and detection data (libraries and IDEs) it doesn't take heed of SAVXP's settings, rely on the On-Access driver or SAVService.exe.
Scheduled scans will also detect Authorized PUAs
Correct. You get a message like File "C:\Program Files\PSTools\PsExec.exe" belongs to authorized adware or PUA 'PsExec' but you shouldn't get an alert or email. I suggested to test whether the behaviour with psexec.exe is the same (i.e. exclusion and authorization have seemingly no effect) or as intended.
Christian
