We'd love to hear about it! Click here to go to the product suggestion community
I recently downloaded the netgear ProSAFE utility to configure a new switch that was just purchased.
Upon trying to install it, Sophos Intercept X advises that it's intercepted an attack. The information provided was "Anti-VM" - I could provide more data as well if needed.
The intercept notification also advises that no malicious files were detected, and a scan of the file in question turns up clean.
So my questions are: What is an "anti-VM" detection and how serious is this? All scans come up clean - yet this has occurred - so should I be concerned and/or should this machine be nuked to be safe?
Hello Oli Mar
We've seen this kind of detection on a previous version of Exploit Prevention. When malware with Anti-VM techniques (so-called ‘vm-aware’ or ‘sandbox-aware’ malware) detects a virtual machine, it will refuse to run because it assumes it is running inside a malware analyst’s automated sandbox or honeypot – the malware will simply self-terminate to conceal its hostile intentions. The Anti-VM test usually probes for a guest-to-host communication port used by virtualization software.
A previous post described Anti-VM on HMP test tool
I'd like to know which Sophos product are you specifically using - is this on-premise or Sophos Central?
Also, if you can send us the C:\ProgramData\HitmanPro.Alert\Logs\sophos.log file, and let us know the timestamp when the detection occurred, so that we have more information on the detection.
In reply to DianneY:
On a fresh reinstall of the OS and downloading the same file I observed the same alert.
Mitigation Anti-VMTimestamp 2019-12-03T09:37:05Platform 10.0.17763/x64 v368 06_9ePID 6956Application C:\Users\[removed for privacy]\Downloads\ProSAFE_Plus_Utility 2.7.7\ProSAFE Plus Utility 2.7.7.exeCreated 2019-01-04T18:27:12Modified 2019-12-03T09:21:21Description Setup Launcher 2.7.7VMwareLoaded Modules-----------------------------------------------------------------------------00400000-004F2000 ProSAFE Plus Utility 2.7.7.exe (NETGEAR ), version: 2.7.7 75350000-7543F000 hmpalert.dll (SurfRight B.V.), version: 220.127.116.11610000000-101B4000 ISSetup.dll (Acresso Software Inc.), version: 16.0.43606BD0000-06C71000 ISRT.dll (Acresso Software Inc.), version: 16.0.43206D40000-06DC9000 _isres_0x0409.dll (Acresso Software Inc.), version: 16.0.328Process Trace1 C:\Users\[removed for privacy]\Downloads\ProSAFE_Plus_Utility 2.7.7\ProSAFE Plus Utility 2.7.7.exe 2 C:\Windows\explorer.exe 3 C:\Windows\System32\userinit.exe Thumbprint75d41ac877595bfe4d5aa74bdf74984244bf02bd831244568845a1a4b79d7253
In reply to Oli Mar:
Hello Oli Mar
Thanks for the information. Have you submitted a sample of the installer to Sophos Labs or are working with Support on this issue? If you are please DM me the ticket number so I can follow accordingly and post any updates.