This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-S in Temp folder

Hello,

since this morning, every time I restart the PC, I get the message that there is an executable in the Temp folder that was detected as malware. The first time it could not be removed, but when I checked it was no longer there anyway. The other times it said it could remove the threat successfully.

The detections are Mal/Generic-S.
They are found in the Windows temp directory and look like this (the names change every time):

C:\Windows\Temp\0f62aff2-c963-2b81-c015-e65dbe0fc858\f572f226-cf75-148b-2c52-bacb5a2fc3c8.exe

A full scan of the system after removal has revealed no additional threats.

Should I be concerned?



This thread was automatically locked due to age.
  • Hi

    May I know if you can still access the file path? Have you tried deleting the file manually? Also, in the central dashboard, under Threat Analysis centre you should be able to view more details about the detection and the root cause. Make sure all your systems are patched and protected.  

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hello Shweta,

    the file path is gone. I deleted the folder, although it was already empty when I checked. There is actually a second detection now, this time. The first detection (Mal/Generic-S) comes from node.exe (primary reason "Nodejs"), but that has not occured since Friday.

    Now I have a second one, C2/Generic-A, apparently Firefox is trying to connect to "de . withtls . net" which is classed as a high risk site by Sophos, containing exactly this malware. Apparently there is something wrong with this device, even though the full scan doesn't yield any results.

    UPDATE: I found an empty Firefox extension (no name, no text) that could not be removed. I cleaned Firefox, this removed the extension. However, there's another detection now "Generic PUA CK". This seems to be "Outbrowse".

    I reinstalled the PC.

  • Hi

    If a C2 detection alert has been triggered this means that the Sophos Endpoint Security and Control product has detected communication with a suspect Command and Control site. For C2/Generic-A or C2/Generic-C, please refer How to investigate C2/Generic-C Detection

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.