This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unusual response to Sample Submission

Hello all,

yesterday I submitted samples of Mal/Generic-S detections. The overall circumstances suggested a not-too-complex and not-too-malicious threat. In that past in sich cases it took not more than a few hours for a specific detection to be written and released.
This time I got the following response to case #8482303:

According to Sophos Labs what is the reason for submission FP or FN?

Huh? Since when does a submission of Mal/Generic-S (the first option, that I always understood as please do) imply that the reason is that I assume it is false (either FP or FN)? Furthermore - doesn't FN mean that I did not get a detection? Or does FN now encompass generic-instead-of-specific? , can you enlighten me [:)]?

Has the submission workflow been changed? I did receive the automated reply stating the usual: Our systems will analyze your sample(s) and return an automated response .... To my knowledge the samples have always been fed to the automaton. Perhaps they required release by a technician, but I can't remember any submission where the check hasn't been performed before I have been asked for further information or received a comment by a human on the files' nature.

: I'm not complaining but the response, whether indeed a forwarded request by Labs or not, seems a little bit terse.

Christian



This thread was automatically locked due to age.
  • Hi Christian,

    The process is the same, looks like it was just a misunderstanding. What labs were basically asking was "Do you believe this detection is a False positive or not". I have highlighted to them as that you hadn't mentioned it being a FP and were actually just highlighting that the cleanup had failed then obviously your main concern was getting the files removed and therefor you do believe they are malicious.

    They are still looking at the files and you should get the normal automated response with the results once they have finished. Sorry for the confusion.

  • Hello PeterM,

    thanks for checking and assuring that the process hasn't changed.

    cleanup had failed
    indeed in the console it said Blocked, [partially removed - restart the computer}, Cleaned Up, Threat no longer present in rapid succession (sometimes without the partially ...) in always different temporary locations. Once some of the files had been moved this stopped. Thus I submitted the samples in the hope that this "something" can be found that survived the cleanup (that had assumed it had killed the beast).

    They are still looking at the files
    As said, it normally takes just a few hours but I know it can take longer. Apparently there was some misunderstanding somewhere.

    Thanks for looking into it
    Christian 

  • Hello PeterM,

    you should get the normal automated response
    that I did not yet get (and items still only trigger Mal/Generic-S) - instead I got this followup:

    Date: Sun, 25 Nov 2018 19:30:38 +0000
    Please provide the requested information as per the last email.

    Apparently something's still not working as it's supposed to do.

    Christian

  • Hey  

    Apologies for this miscommunication, I've left a note in your support case to hopefully clear things up.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thanks, Flo

    For those interested in the final outcome: The Mal/Generic-S samples have been analyzed and detection for the RelevantKnowledge adware has been updated.

    Christian