Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 17 subscribers
  • Views 33820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware not detected - Trojan.Multi.GenAutorunWMI.a

DKAO

Hello,

I`m not sure if this is a Sophos issue that cannot identify it, or if it is just a configuration issue.

I have been trying to find out how can I configure Sophos Central, for both workstations and servers, to identify and cure a malware named as Trojan.Multi.GenAutorunWMI.a.

Most of the workstations and ALL servers were infected this week and I`m having to run another antimalware such as Kaspersky to remove it. Sophos seems never to identify it, but Kaspersky does. My concern about removing with Kaspersky is that the devices can be infected again since Sophos endpoint is not aware and blocking it.

The main symptom is a high CPU consumption. A powershell keeps running a script that consumes 100% CPU. Another symptom that we are still not sure if it is related, is that some workstations and servers (both physical and virtualized servers) suddenly restarts with no reason.

If anyone is experiencing this issue and could share any remediation, I`ll be thankful.

Thanks!




[locked by: FloSupport at 5:21 PM (GMT -7) on 4 Apr 2019]
  • 0

    Hi,

    Please submit a file sample to our labs team for analysis. 

    You may follow this KB for instructions on submission: Submitting samples of suspicious files to Sophos 

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    There is no file related since it is a System Memory malware. At least, we were not able to find out the source file.

    All I have is the print screen from the Kaspersky report I already sent to the support channel. I also sent evidences of the CPU consumption and issues. Hope I have any reply from support team.

    Thanks,

  • 0 in reply to DKAO

    Please provide me with your Support Case number so I can follow-up with your case. 

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    Here it is [#7817363]

  • 0 in reply to DKAO

    Thanks for that. I see that the case has been assigned and the engineer has reached out to you. Since the case owner is off for the day, please allow him until tomorrow to reply.

    Best,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    Any news on this? This is urgent since almost all machines are infected.

    We need to know if Sophos will be able to handle or if we need to move to another provider urgently!!!

    Thanks

  • 0 in reply to DKAO

    Hi,

    I have just followed up with your case. The case owner is away today so it has been reassigned and the new case owner has already forwarded your case for review to our labs team for analysis.

    We appreciate your patience as we investigate this further.

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    They requested some info I sent yesterday, but didn`t hear from them so far.

    They suggested trying removing some things manually, but I need Sophos to cure all the machines and prevent them to be infected again with the malware. There`s no reason to keep Sophos if it does not remove and prevent it. I need a transparent response if this is going to happen or not. I need to confirm if I can count on Sophos or move to another provider.

    Thanks!

  • 0 in reply to DKAO

    Keep us posted on this case. Curious to know on the Malware and Sophos response

  • 0 in reply to skyisbluescreen

    Hello skyisbluescreen,

    Unfortunately the issue was not solved yet. They have been requesting some information and I`m providing everything I can. They have been replying and seems to be working on it, which seems to be something good, but they are still not able to find out the issue and it seems they are not aware of Fileless Malware type of infection and this is surely something to worry about.

    Sophos endpoint is still unable to detect the malware and we are having to remove it manually one by one. The issue on doing this is:

    1- thats a huge effort to locate and remove the malware on each machine. I was able to detect which IPs the scripts are trying to connect so I was able to block it on firewall and track them on Logs so I can detect what machines are infected. I`m currently using Kaspersky Virus Removal Tool (free software), since it can detect and remove it.

    2- not sure yet, but I`m afraid the machines can get infected again after being cured, since Sophos is not detecting it.

Unfiltered HTML