SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

When a virus is detected in memory, there is no information in SEC about process.

When a virus is detected in memory, there is no information in SEC about process.

In local log file there is something like
Process "C:\Windows\SysWOW64\rundll32.exe" belongs to virus/spyware 'Troj/VundoMem-A'.
where (in this case) complete command line is
"C:\Windows\System32\rundll32.exe" "C:\Users\<USER>\AppData\Roaming\sfc_os2.dll",NRQOR

When virus is cleaned in memory there are information about process ID:
Process "C:\Windows\SysWOW64\rundll32.exe:pid:0000085c" has been cleaned

With this information we located the process (had get process list before cleaning) and found complete command line.
That let us to locate sfc_os2.dll file, than sophos doesn't detect as virus at that moment.

I sugest two items:
- Log more information about process when virus is detected in memory ( like Process ID , and complete command line )
- Show this information at SEC

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • sso
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.