This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We are seeing IMG files not being scanned correctly.

This file came through as a IMG file.  The user mounted it and contained an .exe malware file.  Is it possible to make Sophos scan these as they are currently not detecting it.

 

https://www.virustotal.com/gui/file/0b870bdee59bf37923b12c6fc93832c14620172ea2b010ad65c4f4cb40502e97/detection

 

 



This thread was automatically locked due to age.
  • New detection released via support. I do question why this was not caught using the "Machine learning"

     

    Thank you for contacting Sophos Technical Support.

    **Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.**

    The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

    • IMG-0031201900000E1.IMG.zip -- archive file
    • IMG-0031201900000E1.IMG -- archive file
    • IMG-00312019000E1.exe -- identity created/updated(New detection Troj/Spy-AWT)
  • Hello ,

    documentation regarding ML is vague but I'd assume it's a counterpart to the regular scanning engine and the same rules apply w.r.t. what is scanned. As the Labs response shows the .img file is an archive and scan inside archives is not enabled (I think this setting is not available with Central), thus it and its contents aren't scanned. Once mounted the contained .exe - provided it has been accessed, Explorer usually does it - should have been scanned. The response suggests that the regular engine could not detect it.

    The VT screenshot shows that Sophos ML had a detection on the .img at least 2h20' after submission, maybe from the start. There's also an entry for the contained .exe that ML detects as well. If you still have the image and there is no Real-Time detection then it might be because archives aren't scanned. A Scheduled Scan can be set to scan inside archives, but the "regular" detection might trigger before ML.

    As the automated response says (and I could have spared you the preceding babble) reply to the email with your question - a submission is a case like any other (more or less so, some tenacity might be required to get beyond the first level).

    Christian

  • Hi nhidalgo,

    As correctly pointed out by QC, The IMG FILE is a perfectly safe Disc Image file which cannot infect a machine by its own. Unless there are manual actions taken on it like Mounting and Execution [SAV blocks the execution immediately], there is no point having a detection on this file. 

    What's of interest is the Executable file inside of it. If you Extract the IMG using 7ZIP, the executable will immediately be quarantined before it could be executed. Hence it depends on different vendors on how they want to tackle/detect/clean this particular IMG file. 

    Thanks,

    Vikas