Hopefully a simple question. Today I am seeing an alert for a malware detection for a customer, but the alert is just saying "Requires Attention", rather than something like manual cleanup required. Does this just mean I need to have a look at what has been detected and decide if it is OK or not, and then take whatever action I deem necessary?
The full alert is "Malware 'ATK/SecDump-A' detected in network location '\\rc-nas-01\backup01\it_office1\firstname.lastname@example.org\ICT_OFFICE1\Data\C\Users\adminone\Downloads\impacket-master\impacket-master\examples\secretsdump (2022_01_28 15_26_55 UTC).py' requires attention"
From investigations I can see that is something you probably wouldn't want on your network, but I'm just wondering why Sophos hasn't either cleaned it up automatically or has told me to manually clean it up. Could it be because there is a chance it is a tool that someone could make use of legitimately, for example a network manager trying to fix some problem or other?
I was able to locate some guidance on this in the following article. Let me know if this helps. - Information on Attack Tool Detection
It looks like you are correct that this could be a tool that a sysadmin may use for legitimate purposes, or for pentesting.
I'd also suggest checking if all of the devices in your environment have Sophos installed and running in a healthy state, as this could also be a remote detection based on the file path.