SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

When a virus is detected in memory, there is no information in SEC about process.

When a virus is detected in memory, there is no information in SEC about process.

In local log file there is something like
Process "C:\Windows\SysWOW64\rundll32.exe" belongs to virus/spyware 'Troj/VundoMem-A'.
where (in this case) complete command line is
"C:\Windows\System32\rundll32.exe" "C:\Users\<USER>\AppData\Roaming\sfc_os2.dll",NRQOR

When virus is cleaned in memory there are information about process ID:
Process "C:\Windows\SysWOW64\rundll32.exe:pid:0000085c" has been cleaned

With this information we located the process (had get process list before cleaning) and found complete command line.
That let us to locate sfc_os2.dll file, than sophos doesn't detect as virus at that moment.

I sugest two items:
- Log more information about process when virus is detected in memory ( like Process ID , and complete command line )
- Show this information at SEC

1 vote
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.