A colleague downloaded an msi from TechNet yesterday - ConfigMgr Task Sequence Monitor. This appears to be a System Center tool. During install it triggered a Sophos detection and cleanup event in Central:
Malware cleaned up: 'ML/PE-A' at 'C:\Program Files (x86)\SMSAgent\ConfigMgr Task Sequence Monitor\ConfigMgr_TS_Monitor.exe'
Malware detected: 'ML/PE-A' at 'C:\Program Files (x86)\SMSAgent\ConfigMgr Task Sequence Monitor\ConfigMgr_TS_Monitor.exe'
If I click the Details link next to the "Cleaned Up" event in Central it pops up a gui that shows the Status of this executable as "Whitelisted". I haven't whitelisted this EXE and a check of my allowed applications in Central confirms this. Is the Whitelisted status false or has Sophos added this EXE to their Global Allowed Applications list, how can I tell?
If I run the EXE through virustotal is comes back as clean for SophosAV & SophosML, 13 other engines see this as malicious! Is the SophosML engine on VirusTotal a good place to test files like this after the event logged in Central?
The SHA 256 is a21713eb0eed0f06c9025baf69b18cecbd53cd81b94982948b800a0bbf942fff
The EXE file hasn't been removed and is still showing in the directory on the client.
Regards
Andy.
This thread was automatically locked due to age.
