Onenote false positives in Google Drive File Stream files stored locally on machines being detected

I have been having an issue with Onenote files being detected as false positives and to prevent half of the detections from happening, I excluded all onenote files with the file extensions *.onepkg and *.one.backupconsctruction globally regardless of the path.

What is happening now is that these files are still getting removed in Google Drive File Stream paths in Windows, these haven't been excluded because these Google backup files don't have file extensions so it is not recognized in my whitelist/exclusion. Here is an example:

Manual malware cleanup required: 'Mal/OneBad-A' at 'C:\Users\Jerome_Powell\AppData\Local\Google\DriveFS\118151419556526923308\content_cache\d14\d23\35055'

How can I solve this issue?



Added TAGs
[edited by: Gladys at 7:18 AM (GMT -7) on 16 May 2023]
Parents
  • Hi Marvin,

    Thanks for reaching out to the Sophos Community Forum.

    Do you know if the same file is being detected again and again? If so, I'd suggest trying to send in a sample of the file so that Sophos Labs can reclassify it.
    - Submit a Sample

    If the detections continue to change, you may want to consider adding a path exclusion for Google Drive File Stream. I'd suggest creating such an exclusion only for the specific devices that require it.

    Cached items from google drive may be compressed and in different formats than the original content downloaded, opening up the possibility of false positives due to the malformed data. Sending a sample submission would be the best way to verify if files are malicious or FPs. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Marvin,

    Thanks for reaching out to the Sophos Community Forum.

    Do you know if the same file is being detected again and again? If so, I'd suggest trying to send in a sample of the file so that Sophos Labs can reclassify it.
    - Submit a Sample

    If the detections continue to change, you may want to consider adding a path exclusion for Google Drive File Stream. I'd suggest creating such an exclusion only for the specific devices that require it.

    Cached items from google drive may be compressed and in different formats than the original content downloaded, opening up the possibility of false positives due to the malformed data. Sending a sample submission would be the best way to verify if files are malicious or FPs. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data