This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC - PUA exceptions not working?

We constantly have warnings about remcomsvc.exe.

We know the software so it's a bit of a false positive for us. So to save alerts, we placed exceptions under antivirus (C:\Windows\System32\RemComSvc.exe) and also authorized the PUA RemCom under Authorization.

We still keep getting email alerts from loads of our clients. It looks like the exceptions we put in don't work. Any ideas?

 

regards,

Louis



This thread was automatically locked due to age.
Parents
  • Hi  

    I am also interested to know whether exclusions are not working on a few of the devices or it's not working on any of the devices. Please make sure that all the devices have been updated with the latest policy push from enterprise console.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  •    

    Email Alerts below (on access & Weekly scan):

    User: OURDOMAIN\ouruser
    Scan: On-access
    Machine: PC696

    File "C:\Windows\System32\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).


    User: NT AUTHORITY\SYSTEM
    Scan: Weekly Scan (WEDS 0100hrs)
    Machine: PC646

    File "C:\Windows\SysWOW64\RemComSvc.exe" belongs to adware or PUA 'RemCom' (of type Other).

    Adware or PUA 'RemCom' has been detected.

  • Hi  

    Please suggest on my previous question whether you are receiving alerts for a few systems or all the systems. 

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Louis-M,

    first of all, you shouldn't use exclusions unless the integrity of the files is sufficiently safeguarded by some other means or the exclusion is absolutely necessary. Authorization is the proper way.

    I haven't seen that exclusions or authorizations aren't honoured (BTW: on-access and on-demand/scheduled scans have independent exclusions). The affected endpoints do comply with the AV&HIPS policy?

    Christian 

  • The exclusions were put in as an attempt to stop the alerts. I didn't think we needed them at the time but put them in to see if they made any difference. I've now taken them out.

    So all that we have is the authorisation enabled as shown.

    The pc's affected (and there are more) do comply with the policy set.

  • On a computer you are still getting an alert on, can you:

    1. Run;
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe" -pua "C:\Windows\System32\RemComSvc.exe"

    for example.  Is it detected? Can you provide the output?

    2. Can you attach:
    "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"
    from that computer.

    Regards,
    Jak

  • Microsoft Windows [Version 10.0.15063]
    (c) 2017 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe" -pua "C:\Windows\System32\RemComSvc.exe"
    Sophos Anti-Virus
    Version 1.01.1 [Win32/Intel]
    Virus data version 5.67, August 2019
    Includes detection for 40777751 viruses, trojans and worms
    Copyright (c) 1989-2019 Sophos Limited. All rights reserved.
    
    BY USING THIS TOOL YOU AGREE THAT YOU ARE FULLY BOUND BY, AND SUBJECT TO, ALL
    OF THE OBLIGATIONS CONTAINED IN THE SOPHOS END USER LICENCE AGREEMENT ("EULA")
    AND THE ONLY RIGHTS AND/OR REMEDIES AVAILABLE TO YOU (WITH RESPECT TO YOUR USE
    OF THIS TOOL) ARE THOSE RIGHTS AND REMEDIES THAT ARE STATED IN THE EULA
    (a copy of which is reproduced at : http://www.sophos.com/legal/eula.html).
    
    System time 08:46:16, System date 18 September 2019
    Command line qualifiers are: -pua
    
    IDE directory is: C:\Program Files (x86)\Sophos\Sophos Anti-Virus
    
    Using IDE file bank-gyq.ide
    Using IDE file blada-vf.ide
    Using IDE file vb-kke.ide
    Using IDE file encdo-mr.ide
    Using IDE file pdfu-hoq.ide
    Using IDE file phis-frx.ide
    Using IDE file zbot-nls.ide
    Using IDE file azoru-bi.ide
    Using IDE file poebo-nm.ide
    Using IDE file blada-vn.ide
    Using IDE file azoru-bk.ide
    Using IDE file hawke-wb.ide
    Using IDE file docd-vad.ide
    Using IDE file dneti-as.ide
    Using IDE file hawke-wc.ide
    Using IDE file msil-moq.ide
    Using IDE file mdro-iut.ide
    Using IDE file fare-ima.ide
    Using IDE file fare-imb.ide
    Using IDE file trikb-ef.ide
    Using IDE file fare-imc.ide
    Using IDE file vbinj-qt.ide
    Using IDE file delf-heo.ide
    Using IDE file dneti-aw.ide
    Using IDE file trikb-eg.ide
    Using IDE file azoru-bl.ide
    Using IDE file blada-vw.ide
    Using IDE file tibia-u.ide
    Using IDE file vundo-ci.ide
    Using IDE file dneti-bh.ide
    Using IDE file docd-vdp.ide
    Using IDE file mocrt-f.ide
    Using IDE file blada-vx.ide
    Using IDE file pdfu-hpo.ide
    Using IDE file ryuk-p.ide
    Using IDE file bsymem-a.ide
    Using IDE file formb-qj.ide
    Using IDE file vbinj-qu.ide
    Using IDE file blada-wc.ide
    Using IDE file keylo-xf.ide
    Using IDE file mocrt-g.ide
    Using IDE file rtfd-aev.ide
    Using IDE file mdro-iuz.ide
    Using IDE file mdro-iva.ide
    Using IDE file fare-int.ide
    Using IDE file docph-hp.ide
    Using IDE file godrop-l.ide
    Using IDE file azoru-bo.ide
    Using IDE file vb-kle.ide
    Using IDE file formb-qk.ide
    Using IDE file remco-kx.ide
    Using IDE file xtbl-da.ide
    Using IDE file rans-foy.ide
    Using IDE file steal-ya.ide
    Using IDE file bat-gm.ide
    Using IDE file dneti-bq.ide
    Using IDE file rans-foz.ide
    Using IDE file dneti-bt.ide
    Using IDE file msil-mpn.ide
    Using IDE file formb-qm.ide
    Using IDE file blada-wk.ide
    Using IDE file inje-ely.ide
    Using IDE file sodin-am.ide
    Using IDE file elecfi-a.ide
    Using IDE file rtfd-afm.ide
    Using IDE file age-bcil.ide
    Using IDE file kpot-a.ide
    Using IDE file blada-wt.ide
    Using IDE file inje-emb.ide
    Using IDE file darkc-is.ide
    Using IDE file msil-mpy.ide
    Using IDE file rtfd-afo.ide
    Using IDE file trikb-eh.ide
    Using IDE file ryuk-t.ide
    Using IDE file hawke-ws.ide
    Using IDE file dneti-ce.ide
    Using IDE file phis-fuk.ide
    Using IDE file mdro-ivn.ide
    Using IDE file delf-hev.ide
    Using IDE file dneti-ci.ide
    Using IDE file encdo-mw.ide
    Using IDE file formb-qs.ide
    Using IDE file gozi-sg.ide
    Using IDE file spy-axx.ide
    Using IDE file mocrt-j.ide
    Using IDE file xtbl-ds.ide
    Using IDE file konus-d.ide
    Using IDE file inje-emm.ide
    Using IDE file msili-bk.ide
    Using IDE file xtbl-dt.ide
    Using IDE file hawke-wx.ide
    Using IDE file fare-ipy.ide
    Using IDE file delf-hey.ide
    Using IDE file veil-ah.ide
    Using IDE file php-cr.ide
    Using IDE file msili-bv.ide
    Using IDE file inje-emr.ide
    Using IDE file docd-vjf.ide
    Using IDE file dneti-dl.ide
    Using IDE file formb-qy.ide
    Using IDE file rtfd-agd.ide
    Using IDE file trick-so.ide
    Using IDE file rtfd-agf.ide
    Using IDE file fare-iqp.ide
    Using IDE file fare-iqq.ide
    Using IDE file inje-emt.ide
    Using IDE file azoru-by.ide
    Using IDE file netwi-nw.ide
    Using IDE file zbot-nng.ide
    Using IDE file remco-lf.ide
    Using IDE file recam-ep.ide
    Using IDE file dofoi-gd.ide
    Using IDE file banl-csq.ide
    Using IDE file spy-aya.ide
    Using IDE file inje-enb.ide
    Using IDE file teslaa-h.ide
    Using IDE file rans-fpo.ide
    Using IDE file blada-yp.ide
    Using IDE file miner-up.ide
    Using IDE file atmrip-b.ide
    Using IDE file zbot-nnz.ide
    Using IDE file steal-yv.ide
    Using IDE file drid-abx.ide
    Using IDE file msil-msc.ide
    Using IDE file docd-vlz.ide
    Using IDE file dneti-el.ide
    Using IDE file fare-ist.ide
    Using IDE file phis-fxg.ide
    Using IDE file trikb-ek.ide
    Using IDE file remco-li.ide
    Using IDE file dneti-em.ide
    Using IDE file encdo-mz.ide
    Using IDE file hupig-xh.ide
    Using IDE file puma-y.ide
    Using IDE file orcusr-f.ide
    Using IDE file truebo-c.ide
    Using IDE file remco-lk.ide
    Using IDE file apost-o.ide
    Using IDE file lokib-dw.ide
    Using IDE file andro-tv.ide
    Using IDE file autinj-j.ide
    Using IDE file miner-vb.ide
    Using IDE file blada-zj.ide
    Using IDE file bifro-bm.ide
    Using IDE file grmasi-a.ide
    Using IDE file netwi-nz.ide
    Using IDE file wont-afr.ide
    Using IDE file formb-by.ide
    Using IDE file fare-ium.ide
    Using IDE file blada-zz.ide
    Using IDE file dldr-sd.ide
    Using IDE file msil-mtj.ide
    Using IDE file fare-iuo.ide
    Using IDE file nanoc-xj.ide
    Using IDE file docd-vob.ide
    Using IDE file msil-mtl.ide
    Using IDE file phobo-g.ide
    Using IDE file vb-kme.ide
    Using IDE file keylo-xh.ide
    Using IDE file nukesp-d.ide
    Using IDE file teslaa-k.ide
    Using IDE file inje-eou.ide
    Using IDE file pirpi-e.ide
    Using IDE file darkc-it.ide
    Using IDE file urela-ap.ide
    Using IDE file bat-gp.ide
    Using IDE file rans-fqc.ide
    Using IDE file netwi-oa.ide
    Using IDE file msil-mum.ide
    Using IDE file zbot-noz.ide
    Using IDE file fare-iwk.ide
    Using IDE file gozi-su.ide
    Using IDE file keylo-xk.ide
    Using IDE file dofoi-ge.ide
    Using IDE file batdrp-x.ide
    Using IDE file upatr-yv.ide
    Using IDE file zbot-npe.ide
    Using IDE file msil-muu.ide
    Using IDE file vb-kml.ide
    Using IDE file msil-muv.ide
    Using IDE file formb-rt.ide
    Using IDE file trick-sq.ide
    Using IDE file hawke-ya.ide
    Using IDE file blada-af.ide
    Using IDE file dneti-gz.ide
    Using IDE file dofoi-gg.ide
    Using IDE file emot-bgf.ide
    Using IDE file emot-bgi.ide
    Using IDE file emot-bgj.ide
    Using IDE file formb-rv.ide
    Using IDE file azoru-cg.ide
    Using IDE file emot-bgl.ide
    Using IDE file age-bcpy.ide
    
    Quick Scanning
    
    >>> PUA 'RemCom' (of type Other) found in file C:\Windows\System32\RemComSvc.exe
    
    Memory was swept.
    Registry was swept.
    1 file swept in 54 seconds.
    No viruses were discovered.
    1 PUA was discovered.
    Ending Sophos Anti-Virus.
    
    C:\Windows\system32>
     
    <?xml version="1.0"?>
    <configuration prodver="102" version="6" policy="1">
    	<components>
    		<configurationManager>
    			<security>
    				<roles>
    					<role name="SophosAdministrator"><name>SophosAdministrator</name><SID>S-1-5-18</SID></role>
    					<role name="SophosPowerUser"><name>SophosPowerUser</name></role>
    					<role name="SophosUser"><name>SophosUser</name></role>
    				</roles>
    				<policies/>
    			</security>
    		</configurationManager>
    		<logging>
    			<logSources>
    				<settings/>
    			</logSources>
    			<workstation><consumers>
    					<item itemName="EventLog">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    						</settings>
    					</item>
    					<item itemName="FileLog">
    						<settings>
    							<rotation/>
    							<filtering/>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="Virus">101</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">101</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    							<messageFields>
    								<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    					<item itemName="SNMPMessaging">
    						<settings>
    							<filtering><item itemName="Virus">101</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">101</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item><item itemName="DataControl">101</item><item itemName="DeviceControl">101</item></filtering>
    						</settings>
    					</item>
    				</consumers>
    			</workstation>
    		</logging>
    		<consumerFactory>
    			<item itemName="SNMPMessaging">
    			</item>
    		</consumerFactory>
    		<ICManagement><ICfixedExclusions/>
    			<cscan><scanKernelMemory>true</scanKernelMemory></cscan>
    			<cookie>-1025938176</cookie><asyncOnClose>false</asyncOnClose></ICManagement>
    		<DCManagement>
    		</DCManagement>
    		<sipsManagement><runtimeBehaviour>
    				<bufferOverflowProtection><enabled>true</enabled><allowActions>true</allowActions></bufferOverflowProtection>
    				<resourceShield>
    					<suspicious><enabled>true</enabled><allowActions>false</allowActions></suspicious>
    					<enabled>true</enabled></resourceShield>
    				<enabled>true</enabled></runtimeBehaviour>
    		</sipsManagement>
    		<swiManagement><exclusions policy="0"/>
    			<enabled>true</enabled><sxlServerList>000102030405060708</sxlServerList></swiManagement>
    		<bhoManagement><reputationEnabled>false</reputationEnabled><reputationEnabledForOnDemandScans>true</reputationEnabledForOnDemandScans><reputationMode>0</reputationMode><reputationAction>0</reputationAction></bhoManagement>
    		<DataControl>
    			<settings><enabled>false</enabled></settings>
    			<processExclusions/><desktopMessaging>
    				<item itemName="block" inherits="false"><messageType>block</messageType><messageString></messageString><displayRule>true</displayRule></item><item itemName="overridableBlock" inherits="false"><messageType>overridableBlock</messageType><messageString></messageString><displayRule>true</displayRule></item></desktopMessaging>
    			<rules>
    			</rules>
    		</DataControl>
    		<DeviceControlManager><settings>
    				<alertOnly>true</alertOnly><desktopMessage></desktopMessage><enabled>true</enabled></settings>
    			<rules>
    				<item itemName="device1" inherits="false"><value>removableStorage</value><category>storage</category><access>block</access><exemptions></exemptions></item><item itemName="device2" inherits="false"><value>opticalDrive</value><category>storage</category><access>readOnly</access><exemptions></exemptions></item><item itemName="device3" inherits="false"><value>floppyDrive</value><category>storage</category><access>readOnly</access><exemptions></exemptions></item><item itemName="device4" inherits="false"><value>encryptedStorage</value><category>storage</category><access>block</access><exemptions></exemptions></item><item itemName="device5" inherits="false"><value>modem</value><category>network</category><access>allowed</access><exemptions></exemptions></item><item itemName="device6" inherits="false"><value>wireless</value><category>network</category><access>allowed</access><exemptions></exemptions></item><item itemName="device7" inherits="false"><value>bluetooth</value><category>shortRange</category><access>allowed</access><exemptions></exemptions></item><item itemName="device8" inherits="false"><value>infrared</value><category>shortRange</category><access>allowed</access><exemptions></exemptions></item><item itemName="device9" inherits="false"><value>mtp</value><category>media</category><access>allowed</access><exemptions></exemptions></item></rules>
    		</DeviceControlManager>
    		<TamperProtectionManagement><settings>
    				<enabled>true</enabled><password>C41A647318F99198F14F624BCAE3C9C77E039C23</password></settings>
    		</TamperProtectionManagement>
    		<ApplicationManagement>
    			<Detection>
    				<enabled>false</enabled>
    				<detected></detected>
    			</Detection>
    			<AutoExclusions>
    				<enabled>false</enabled>
    				<onAccess>
    					<fileAndFolder></fileAndFolder>
    					<process></process>
    				</onAccess>
    				<onDemand>
    					<fileAndFolder></fileAndFolder>
    				</onDemand>
    			</AutoExclusions>
    		</ApplicationManagement>
    		<VEManager>
    			<settings>
    				<cloud>
    					<saviOptions><item itemName="SXLServerList"><name>SXLServerList</name><value>000102030405060708</value></item></saviOptions>
    				</cloud>
    				<scanner><saviOptions><item itemName="SXLDetectionLookups"><name>SXLDetectionLookups</name><value>1</value></item><item itemName="SampleSubmit"><name>SampleSubmit</name><value>0</value></item></saviOptions>
    					<onDemandSxlLookups>true</onDemandSxlLookups></scanner>
    			</settings>
    		</VEManager>
    	</components>
    	<TDE>
    		<processors>
    			<VEAdapter>
    				<settings>
    					<saviOptions/>
    				</settings>
    			</VEAdapter>
    		</processors>
    	</TDE>
    	<!--
            Global messaging settings
        -->
    	<notification>
    		<consumers>
    			<smtpConsumer>
    				<settings><server>
    						<authentication/>
    						<name>10.1.28.8</name></server>
    					<sender>sav@end.point</sender>
    					<replyTo></replyTo>
    					<from/>
    					<locale>1033</locale></settings>
    			</smtpConsumer>
    			<SNMPMessaging>
    				<settings><managerAddress></managerAddress><communityString></communityString><cleanCtrlChars>false</cleanCtrlChars></settings>
    			</SNMPMessaging>
    			<eeConsumer>
    				<settings>
    					<blackList/>
    					<whiteList/>
    				</settings>
    			</eeConsumer>
    		</consumers>
    	</notification>
    	<!--
        Product information
        -->
    	<productInfo>
    		<productName/>
    		<productStatus/><firstInstallDate year="2017" month="12" day="18" hour="10" minute="43" second="53"/><updateDate year="2019" month="9" day="18" hour="8" minute="26" second="31"/></productInfo>
    	<!--
            Quarantine manager
        -->
    	<quarantineManager>
    		<actions>
    			<user/>
    			<powerUser/>
    			<administrator/>
    		</actions><authorisedList policy="0"><item>NirCmd</item><item>RemCom</item></authorisedList>
    		<authorisedFileList policy="0" xml:space="preserve"/>
    	</quarantineManager>
    	<!--
            Authorisation list manager
        -->
    	<authorisationListManager><authorisedAppCList policy="0"/>
    		<blockedAppCList policy="0"><item>iTunes</item><item>Winamp</item></blockedAppCList>
    		<blockedAppCCategoryList policy="0"/>
    	</authorisationListManager>
    	<!--
            Concrete on-demand scan configurations
        -->
    	<scanJobs>
    		<!--
            Default scan - scan this computer
            -->
    		<!--
            Cleanup  scan - scan  computer with automatic cleanup for malware
            -->
    		<scan id="{20F676DB-F174-441E-A6D1-7395CF3A8FFC}" ScanType="SystemScan">
    			<displayInfo>
    				<description policy="0">
    					<object ind="0">
    						<item type="marker" ind="0">ResStr</item>
    						<item type="unsigned" ind="1">109</item>
    					</object>
    				</description>
    			</displayInfo>
    			<configuration>
    				<template>OnDemandScanTemplate</template>
    				<notification>
    					<consumers>
    						<item itemName="FileLog">
    							<settings>
    								<rotation/>
    								<filtering/>
    								<filename policy="0" dir="LOCAL_APPDATA">Sophos\Sophos Anti-Virus\logs\Cleanup scan.txt</filename>
    							</settings>
    						</item>
    						<item itemName="SmtpConsumer">
    							<settings>
    								<filtering/>
    								<messageFields>
    									<recipients/>
    								</messageFields>
    							</settings>
    						</item>
    					</consumers>
    				</notification>
    				<scanManager/>
    				<instanceManager/>
    				<TDE>
    					<processors>
    						<item itemName="SOCDecomposer">
    							<settings/>
    						</item>
    						<item itemName="RawFSDecomposer">
    							<settings/>
    						</item>
    						<item itemName="DriveDecomposer">
    							<settings/>
    						</item>
    						<item itemName="FileAttributeFilter">
    							<settings>
    								<attributeList/>
    							</settings>
    						</item>
    						<item itemName="ExtensionFilter">
    							<settings>
    								<extensionList/>
    							</settings>
    						</item>
    						<item itemName="ExclusionFilterProcessor">
    							<settings>
    								<exclusionList/>
    							</settings>
    						</item>
    						<item itemName="FSDecomposerProcessor">
    							<settings></settings>
    						</item>
    						<item itemName="ScanPreprocessor">
    							<!-- consider disabling cache processing for the cleanup scan -->
    							<settings></settings>
    						</item>
    						<item itemName="VEAdapter">
    							<settings>
    								<general>
    									<disinfect>true</disinfect>
    									<puaRemoval>false</puaRemoval>
    									<mcmRemoval>true</mcmRemoval>
    									<scanVdlArchives>false</scanVdlArchives>
    								</general>
    								<stopScan/>
    								<saviOptions>
    									<item itemName="PuaDetection">
    										<name>PuaDetection</name>
    										<value>1</value>
    									</item>
    									<item itemName="DetectSecondaries">
    										<name>DetectSecondaries</name>
    										<value>1</value>
    									</item>
    									<!-- Currently, the ThreatAccumulation option must be enabled in order
                                                to detect secondary PUA components
                                        -->
    									<item itemName="ThreatAccumulation">
    										<name>ThreatAccumulation</name>
    										<value>1</value>
    									</item>
    									<item itemName="ApplicationControl">
    										<name>ApplicationControl</name>
    										<value>0</value>
    									</item>
    								</saviOptions>
    							</settings>
    						</item>
    						<item itemName="FileOpProcessor">
    							<settings>
    								<move/>
    								<delete/>
    								<suspiciousFiles>
    									<move/>
    									<delete/>
    								</suspiciousFiles>
    							</settings>
    						</item>
    						<item itemName="ScanPostprocessor">
    							<settings></settings>
    						</item>
    					</processors>
    				</TDE>
    			</configuration>
    			<areas>
    				<object ind="0">
    					<item type="marker" ind="0">SOCollection</item>
    					<item type="unsigned" ind="1">5</item>
    					<object ind="2">
    						<item type="marker" ind="0">SKernel</item>
    						<item type="string" ind="1">Memory</item>
    					</object>
    					<object ind="3">
    						<item type="marker" ind="0">SMemory</item>
    						<item type="string" ind="1">Memory</item>
    					</object>
    					<object ind="4">
    						<item type="marker" ind="0">SRegistry</item>
    						<item type="signed" ind="1">1</item>
    					</object>
    					<object ind="5">
    						<item type="marker" ind="0">SRawFS</item>
    						<item type="signed" ind="1">1</item>
    					</object>
    					<object ind="6">
    						<item type="marker" ind="0">SDrive</item>
    						<item type="signed" ind="1">3</item>
    						<item type="string" ind="2"/>
    						<!-- types : fixed_mbr, fixed_pbr & fixed -->
    						<item type="unsigned" ind="3">11</item>
    					</object>
    				</object>
    			</areas>
    		</scan><scan id="{8A9BFE72-17F5-46B2-8C53-2CE289A1057F}" ScanType="EnterpriseScan">
    			<displayInfo>
    				<description>
    					<object ind="0"><item type="marker" ind="0">CStr</item><item type="string" ind="1">Weekly Scan (WEDS 0100hrs)</item></object></description>
    			</displayInfo>
    			<configuration><template>OnDemandScanTemplate</template>
    				<notification>
    					<consumers>
    						<item itemName="FileLog">
    							<settings>
    								<rotation/>
    								<filtering/>
    								<filename dir="COMMON_APPDATA">\Sophos\Sophos Anti-Virus\logs\Weekly Scan (WEDS 0100hrs).txt</filename></settings>
    						</item>
    						<item itemName="SmtpConsumer">
    							<settings>
    								<filtering/>
    								<messageFields>
    									<recipients/>
    								</messageFields>
    							</settings>
    						</item>
    					</consumers>
    				</notification>
    				<scanManager/>
    				<instanceManager/>
    				<TDE>
    					<processors>
    						<item itemName="SOCDecomposer">
    							<settings/>
    						</item>
    						<item itemName="RawFSDecomposer">
    							<settings/>
    						</item>
    						<item itemName="DriveDecomposer">
    							<settings/>
    						</item>
    						<item itemName="FileAttributeFilter">
    							<settings>
    								<attributeList/>
    							</settings>
    						</item>
    						<item itemName="ExtensionFilter">
    							<settings>
    								<extensionList/>
    							</settings>
    						</item>
    						<item itemName="ExclusionFilterProcessor">
    							<settings>
    								<exclusionList/>
    							</settings>
    						</item>
    						<item itemName="FSDecomposerProcessor">
    							<settings></settings>
    						</item>
    						<item itemName="ScanPreprocessor">
    							<settings></settings>
    						</item>
    						<item itemName="VEAdapter">
    							<settings>
    								<general><disinfect>true</disinfect><puaRemoval>false</puaRemoval><mcmRemoval>true</mcmRemoval><scanVdlArchives>false</scanVdlArchives></general>
    								<stopScan/>
    								<saviOptions><item itemName="ApplicationControl"><name>ApplicationControl</name><value>0</value></item><item itemName="PuaDetection"><name>PuaDetection</name><value>1</value></item><item itemName="DetectSecondaries"><name>DetectSecondaries</name><value>1</value></item><item itemName="BehaviourSuspicious"><name>BehaviourSuspicious</name><value>1</value></item></saviOptions>
    							</settings>
    						</item>
    						<item itemName="FileOpProcessor">
    							<settings>
    								<suspiciousFiles><delete>false</delete><move>false</move></suspiciousFiles>
    								<delete>false</delete><move>false</move></settings>
    						</item>
    						<item itemName="ScanPostprocessor">
    							<settings></settings>
    						</item>
    					</processors>
    				</TDE>
    				<scanSettings><minimiseScanImpact>true</minimiseScanImpact></scanSettings></configuration>
    			<areas>
    				<object ind="0"><item type="marker" ind="0">SOCollection</item><item type="unsigned" ind="1">5</item><object ind="2"><item type="marker" ind="0">SKernel</item><item type="string" ind="1">Memory</item></object><object ind="3"><item type="marker" ind="0">SMemory</item><item type="string" ind="1">Memory</item></object><object ind="4"><item type="marker" ind="0">SRegistry</item><item type="signed" ind="1">1</item></object><object ind="5"><item type="marker" ind="0">SRawFS</item><item type="signed" ind="1">1</item></object><object ind="6"><item type="marker" ind="0">SDrive</item><item type="signed" ind="1">3</item><item type="string" ind="2"/><item type="unsigned" ind="3">11</item></object></object></areas>
    		</scan>
    		<scan id="{F86EBCD5-687E-40B1-800D-021062361F6C}" ScanType="SystemScan">
    			<displayInfo>
    				<description policy="0">
    					<object ind="0">
    						<item type="marker" ind="0">ResStr</item>
    						<item type="unsigned" ind="1">104</item>
    					</object>
    				</description>
    			</displayInfo>
    			<configuration><template>OnDemandScanTemplate</template>
    				<notification>
    					<consumers>
    						<item itemName="FileLog">
    							<settings>
    								<rotation/>
    								<filtering/>
    								<filename policy="0" dir="LOCAL_APPDATA">Sophos\Sophos Anti-Virus\logs\Scan my computer.txt</filename>
    							</settings>
    						</item>
    						<item itemName="SmtpConsumer">
    							<settings>
    								<filtering/>
    								<messageFields>
    									<recipients/>
    								</messageFields>
    							</settings>
    						</item>
    					</consumers>
    				</notification>
    				<scanManager/>
    				<instanceManager/>
    				<TDE>
    					<processors>
    						<item itemName="SOCDecomposer">
    							<settings/>
    						</item>
    						<item itemName="RawFSDecomposer">
    							<settings/>
    						</item>
    						<item itemName="DriveDecomposer">
    							<settings/>
    						</item>
    						<item itemName="FileAttributeFilter">
    							<settings>
    								<attributeList/>
    							</settings>
    						</item>
    						<item itemName="ExtensionFilter">
    							<settings>
    								<extensionList/>
    							</settings>
    						</item>
    						<item itemName="ExclusionFilterProcessor">
    							<settings>
    								<exclusionList/>
    							</settings>
    						</item>
    						<item itemName="FSDecomposerProcessor">
    							<settings></settings>
    						</item>
    						<item itemName="ScanPreprocessor">
    							<settings></settings>
    						</item>
    						<item itemName="VEAdapter">
    							<settings>
    								<general>
    									<disinfect>false</disinfect>
    									<mcmRemoval>false</mcmRemoval>
    								</general>
    								<stopScan/>
    								<saviOptions>
    									<item itemName="PuaDetection">
    										<name>PuaDetection</name>
    										<value>1</value>
    									</item>
    									<item itemName="DetectSecondaries">
    										<name>DetectSecondaries</name>
    										<value>1</value>
    									</item>
    									<!-- Currently, the ThreatAccumulation option must be enabled in order
                                                to detect secondary PUA components
                                        -->
    									<item itemName="ThreatAccumulation">
    										<name>ThreatAccumulation</name>
    										<value>1</value>
    									</item>
    									<item itemName="ApplicationControl"><name>ApplicationControl</name><value>0</value></item></saviOptions>
    							</settings>
    						</item>
    						<item itemName="FileOpProcessor">
    							<settings>
    								<move/>
    								<delete/>
    								<suspiciousFiles>
    									<move/>
    									<delete/>
    								</suspiciousFiles>
    							</settings>
    						</item>
    						<item itemName="ScanPostprocessor">
    							<settings></settings>
    						</item>
    					</processors>
    				</TDE>
    			</configuration>
    			<areas>
    				<object ind="0">
    					<item type="marker" ind="0">SOCollection</item>
    					<item type="unsigned" ind="1">5</item>
    					<object ind="2">
    						<item type="marker" ind="0">SKernel</item>
    						<item type="string" ind="1">Memory</item>
    					</object>
    					<object ind="3">
    						<item type="marker" ind="0">SMemory</item>
    						<item type="string" ind="1">Memory</item>
    					</object>
    					<object ind="4">
    						<item type="marker" ind="0">SRegistry</item>
    						<item type="signed" ind="1">1</item>
    					</object>
    					<object ind="5">
    						<item type="marker" ind="0">SRawFS</item>
    						<item type="signed" ind="1">1</item>
    					</object>
    					<object ind="6">
    						<item type="marker" ind="0">SDrive</item>
    						<item type="signed" ind="1">3</item>
    						<item type="string" ind="2"/>
    						<!-- types : fixed_mbr, fixed_pbr & fixed -->
    						<item type="unsigned" ind="3">11</item>
    					</object>
    				</object>
    			</areas>
    		</scan>
    	</scanJobs>
    	<!--
            Scan summaries
        -->
    	<scanSummaries policy="0"><summary id="{F86EBCD5-687E-40B1-800D-021062361F6C}">
    			<lastTimeRun year="2019" month="9" day="13" hour="7" minute="58" second="1"/>
    			<lastState>aborted</lastState>
    			<lastRunBy>S-1-5-21-1322713655-443559718-903097961-2994</lastRunBy>
    			<neutralisedThreats>0</neutralisedThreats>
    			<liveThreats>0</liveThreats>
    			<errors>0</errors>
    			<itemsChecked>1</itemsChecked>
    			<logFilename>C:\Users\Louis\AppData\Local\Sophos\Sophos Anti-Virus\logs\Scan my computer.txt</logFilename>
    			<goldenFiles>0</goldenFiles>
    			<threatsInGoldenFiles>0</threatsInGoldenFiles>
    		</summary><summary id="{8A9BFE72-17F5-46B2-8C53-2CE289A1057F}">
    			<lastTimeRun year="2019" month="9" day="18" hour="0" minute="48" second="30"/>
    			<lastState>completed</lastState>
    			<lastRunBy>S-1-5-18</lastRunBy>
    			<neutralisedThreats>0</neutralisedThreats>
    			<liveThreats>0</liveThreats>
    			<errors>9</errors>
    			<itemsChecked>612408</itemsChecked>
    			<logFilename>C:\ProgramData\Sophos\Sophos Anti-Virus\logs\Weekly Scan (WEDS 0100hrs).txt</logFilename>
    			<goldenFiles>0</goldenFiles>
    			<threatsInGoldenFiles>0</threatsInGoldenFiles>
    		</summary></scanSummaries>
    	<!--
            Scan templates
        -->
    	<scanTemplates>
    		<webScanning><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    			<TDE>
    				<processors>
    					<item itemName="VEAdapter">
    						<settings>
    							<general/>
    							<stopScan/>
    							<saviOptions/>
    						</settings>
    					</item>
    					<item itemName="WebScanningOperations">
    						<settings>
    							<mimeTypeList/>
    							<mode>asOnAccess</mode></settings>
    					</item>
    				</processors>
    			</TDE>
    		</webScanning>
    		<onAccessScan><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item></filtering>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item><item itemName="ApplicationControl">101</item></filtering>
    							<messageFields>
    								<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    			<TDE>
    				<processors>
    					<item itemName="DriverOperations">
    						<settings><running>true</running><onReadCheck>true</onReadCheck><onRenameCheck>true</onRenameCheck><onWriteCheck>true</onWriteCheck><allowBootSectorAccess>false</allowBootSectorAccess><appControlRunning>true</appControlRunning><blockControlledApps>false</blockControlledApps><checkAll>false</checkAll></settings>
    					</item>
    					<item itemName="DriverExtensions">
    						<settings>
    							<extensionList/>
    						</settings>
    					</item>
    					<item itemName="FileExclusions">
    						<settings>
    							<exclusionList><item>C:Windows\System32\RemComSvc.exe</item><item>C:\Windows\SysWOW64\RemComSvc.exe</item></exclusionList>
    						</settings>
    					</item>
    					<item itemName="DriveExclusions">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="ProcessExclusions">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="GeneralExclusions">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="UserExclusions">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="ScanPreprocessor">
    						<settings/>
    					</item>
    					<item itemName="VEAdapter">
    						<settings>
    							<general><disinfect>true</disinfect><puaRemoval>false</puaRemoval><mcmRemoval>true</mcmRemoval><scanVdlArchives>false</scanVdlArchives></general>
    							<stopScan/>
    							<saviOptions><item itemName="PuaDetection"><name>PuaDetection</name><value>1</value></item><item itemName="ApplicationControl"><name>ApplicationControl</name><value>1</value></item><item itemName="BehaviourSuspicious"><name>BehaviourSuspicious</name><value>0</value></item></saviOptions>
    						</settings>
    					</item>
    					<item itemName="FileOpProcessor">
    						<settings>
    							<suspiciousFiles><delete>false</delete><move>false</move></suspiciousFiles>
    							<delete>false</delete><move>false</move></settings>
    					</item>
    					<item itemName="ScanPostprocessor">
    						<settings/>
    					</item>
    				</processors>
    			</TDE>
    		</onAccessScan>
    		<onDemandScan><instanceManager/>
    			<notification>
    				<consumers>
    					<item itemName="FileLog">
    						<settings>
    							<rotation/>
    							<filtering/>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    							<messageFields>
    								<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    			<TDE>
    				<processors>
    					<item itemName="SOCDecomposer">
    						<settings/>
    					</item>
    					<item itemName="RawFSDecomposer">
    						<settings/>
    					</item>
    					<item itemName="DriveDecomposer">
    						<settings/>
    					</item>
    					<item itemName="FileAttributeFilter">
    						<settings>
    							<attributeList/>
    						</settings>
    					</item>
    					<item itemName="ExtensionFilter">
    						<settings>
    							<extensionList/>
    							<extensionNone>true</extensionNone><scanAllFiles>false</scanAllFiles></settings>
    					</item>
    					<item itemName="ExclusionFilterProcessor">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="FSDecomposerProcessor">
    						<settings/>
    					</item>
    					<item itemName="ScanPreprocessor">
    						<settings></settings>
    					</item>
    					<item itemName="VEAdapter">
    						<settings>
    							<general/>
    							<stopScan/>
    							<saviOptions/>
    						</settings>
    					</item>
    					<item itemName="FileOpProcessor">
    						<settings>
    							<suspiciousFiles/>
    						</settings>
    					</item>
    					<item itemName="ScanPostprocessor">
    						<settings></settings>
    					</item>
    				</processors>
    			</TDE>
    		</onDemandScan>
    		<rightClickScan><instanceManager/>
    			<notification>
    				<consumers>
    					<item itemName="FileLog">
    						<settings>
    							<rotation/>
    							<filtering/>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    							<messageFields>
    								<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    			<TDE>
    				<processors>
    					<item itemName="SOCDecomposer">
    						<settings/>
    					</item>
    					<item itemName="RawFSDecomposer">
    						<settings/>
    					</item>
    					<item itemName="DriveDecomposer">
    						<settings/>
    					</item>
    					<item itemName="FileAttributeFilter">
    						<settings>
    							<attributeList/>
    						</settings>
    					</item>
    					<item itemName="ExtensionFilter">
    						<settings>
    							<extensionList/>
    							<extensionNone>true</extensionNone></settings>
    					</item>
    					<item itemName="ExclusionFilterProcessor">
    						<settings>
    							<exclusionList/>
    						</settings>
    					</item>
    					<item itemName="FSDecomposerProcessor">
    						<settings/>
    					</item>
    					<item itemName="ScanPreprocessor">
    						<settings></settings>
    					</item>
    					<item itemName="VEAdapter">
    						<settings>
    							<general/>
    							<stopScan/>
    							<saviOptions/>
    						</settings>
    					</item>
    					<item itemName="FileOpProcessor">
    						<settings>
    							<suspiciousFiles/>
    						</settings>
    					</item>
    					<item itemName="ScanPostprocessor">
    						<settings></settings>
    					</item>
    				</processors>
    			</TDE>
    		</rightClickScan>
    		<sipsMessaging><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">101</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">90</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    							<messageFields>
    								<recipients><item>itsupport@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    		</sipsMessaging>
    		<swiMessaging><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="Virus">90</item><item itemName="Pua">90</item><item itemName="SuspiciousFile">90</item><item itemName="SuspiciousBehaviour">101</item><item itemName="Scanning">101</item><item itemName="OnAccess">101</item><item itemName="Update">101</item><item itemName="Configuration">101</item><item itemName="Other">101</item><item itemName="Debug">101</item></filtering>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    		</swiMessaging>
    		<dataControl><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="DataControl">90</item></filtering>
    						</settings>
    					</item>
    					<item itemName="FileLog">
    						<settings>
    							<filtering/>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="DataControl">101</item></filtering>
    							<messageFields>
    								<recipients/>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    		</dataControl>
    		<deviceControl><notification>
    				<consumers>
    					<item itemName="DesktopConsumer">
    						<settings>
    							<filtering><item itemName="DeviceControl">101</item></filtering>
    						</settings>
    					</item>
    					<item itemName="FileLog">
    						<settings>
    							<filtering/>
    						</settings>
    					</item>
    					<item itemName="SmtpConsumer">
    						<settings>
    							<filtering><item itemName="DeviceControl">101</item></filtering>
    							<messageFields>
    								<recipients><item>Louis@OURDOMAIN.ORG.UK</item></recipients>
    							</messageFields>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    		</deviceControl>
    		<tamperProtection>
    			<notification>
    				<consumers>
    					<item itemName="FileLog">
    						<settings>
    							<filtering/>
    						</settings>
    					</item>
    				</consumers>
    			</notification>
    		</tamperProtection>
    	</scanTemplates>
    	<UserDefinedMessage><messageText>Abnormal activity has been detected on this computer.
    Please contact IT Support on 01604 797040.</messageText><messageTextAppC></messageTextAppC></UserDefinedMessage>
    	<disabledDeviceListManager>
    		<disabledDevices/><alertOnlyDevices/>
    	</disabledDeviceListManager>
    	<deviceControlManager>
    		<wirelessConnections/>
    		<storageDevices/>
    		<mediaDevices/>
    		<whiteList/>
    		<compositeDeviceParentList/>
    	</deviceControlManager>
    </configuration>
    

  • Hello Louis-M,

    as far as I can tell the machine.xml looks like it should.
    If, as I assume, this is from a computer that reported the detection I have no idea what could be the cause, especially as apparently the exclusion is in place. Exclusions and authorizations have no interrelation and are handled in quite different parts of the scanning workflow.

    As you have Scan for Adware and PUAs enabled - could you perhaps test with a "known reputable" PUA like psexec.exe?

    Christian 

  • From my testing with PsExec, sav32cli will still detect the PUA even if it has been excluded.  Scheduled scans will also detect Authorized PUAs in the local scan log but not report it back to SEC.  I'm able to open up PsExec without a detection however.

    I'd agree with Christian and say it's worth testing with a known reputable PUA such as PsExec.  It may also be worth checking if a toast notification detection comes up if you double click to open "C:\Windows\System32\RemComSvc.exe".

    You mentioned email alerts, do you also see these detections on Sophos Enterprise Console as an Adware or PUA detected alert? Since these emails are sent from the endpoint I'm wondering if something is being skipped here.

  • Hello MEric and Louis,

    sav32cli will still detect the PUA even if it has been excluded
    this is the expected behaviour. sav32cli.exe is stand-alone (once there was a self-contained version available), while it uses SAVXP's engine and detection data (libraries and IDEs) it doesn't take heed of SAVXP's settings, rely on the On-Access driver or SAVService.exe

    Scheduled scans will also detect Authorized PUAs
    Correct. You get a message like File "C:\Program Files\PSTools\PsExec.exe" belongs to authorized adware or PUA 'PsExec' but you shouldn't get an alert or email. I suggested to test whether the behaviour with psexec.exe is the same (i.e. exclusion and authorization have seemingly no effect) or as intended.

    Christian

  • After taking the av/hips scanning exceptions out (left authorization for RemCom in), things seemed to have calmed down. I'll monitor it until next wednesday (weekly scan on weds 0300hrs) and report back.

Reply Children
No Data