This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Repeat malware detections

We have a few PCs that keep getting malware detections (found in Logs & Reports - Events - Malware):

Malware detected: 'Mal/ExpJS-N' at 'C:\Windows\Temp\clamav-e53997a02cc79b0204dc0921a278adf0.tmp\javascript'

I looked at the SAV.txt log and found this, but it doesn't help:

20171019 101716 File "C:\Windows\Temp\clamav-edf03e1769c6330310059d94773538c2.tmp\javascript" belongs to virus/spyware 'Mal/ExpJS-N'.

 

Does anyone know how to determine why this keeps showing up as an alert?



This thread was automatically locked due to age.
  • Hello K_M,

    why this keeps showing up as an alert
    perhaps because the contents of javascript suggest that it's a Backhole component? it doesn't help what kind of help do you expect? For a Mal/ detection SAV.txt should also contain the subsequent action.

    The name suggests that ClamAV might have put it there - is ClamAV installed on these machines?

    Christian 

  • Yes, we are running Sophos (AKA ClamAV):

     

    I expect more details than "Malware Detected".  Ideally it would have the source location identified.  Since ClamAV is Sophos, I doubt it is the source.  Probably the most annoying aspect to this whole mess is that this has been going on for over a month, but Sophos doesn't think malware detections are important and therefore no email is sent.  This makes it really hard to know what changed on the computer that might have caused this.

  • Hello K_M,

    I see, you're using Central Web Gateway, and yes, it's using ClamAV (I don't think though that ClamAV is Sophos or v.v.). Only Web Gateway or also Endpoint Protection?
    I'm afraid I have no idea how it's supposed to work, neither Central Admin nor the Agent and its malware scanning in particular. Sorry for chiming in. Have you considred opening a Support ticket?

    Christian

  • I have a support ticket open, but they don't call when they agree to.  Makes it hard to coordinate.  I was supposed to have a call today - nothing.  This seems to be their M.O. however as this has happened on a number of our tickets.  This is why I turned to the forums in the hopes that someone else had the same problem and could offer a resolution.

  • Hi K_M,

    Can you please clarify on how many machines you see this alerts?

    If the issue is reported on a single client repeatedly it could be some other process or file triggering the detection.(Note: a legitimate file can be flagged as malware if it is being used some other suspicious file) and Further investigation would be required to isolate the actual threat.

    Or if is seen on multiple clients there is a chance of False positive which can be reported.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • It is showing up on quite a few machines.  I have tried running full scans from Central, but it doesn't seem to find anything.  However, it will eventually show up again in the history as a malware detection separate from the scan.

  • Hello Keith,

    We are talking with Labs about this. 

    As soon as there is an update, we shall let you know. 

    Thanks,

    Vikas

    GES 3 - Malware