Service Request Ticket - # 42222

Service Request Information

CONTACT Name Hargreaves, David   View open tasks   View tasks from last 30 days   Schedule Change Contact Date Apr 06, 2011 09:50 AM
Department Humanities Division Phone 88764
Location Email hargred@wou.edu Request for more information Send 'Keeping in touch' email Send 'I'm thinking of you' email
SR INFO Type WOU #
Priority Equipment Type
Status Flagged
Description
Computer Edit WOU # 20090316[Edit Inv] (opens in a new window) Bldg/Room SSC
Service Tag Description Dell OptiPlex 960 SFF,Core2Duo, 3.0GHz,6M, 1333FSB
Serial No. HFMBCK1 Location Going to PDR

CPU Intel Core 2 Duo E8400(3.0GHz, 6M, VT,1333MHz FSB)


OS Unknown Software WIndows Vista Business 32bit downgraded to WIN XP Pro SP3, MS Office Pro Plus 2007 from P0071641

Wired NIC 00:24:E8:30:6A:DE

TECHS Submitted by Nicole Crane Contact ncrane10@wou.edu 88010
Primary Technician Contact bberkley@wou.edu 88955

Tracking

Entered by Date Memo
Brian Berkley
Email

Public
Entered by Date Memo
Brian Berkley Apr 15, 2011 11:20 AM 
Status changed from (1) Pending to (5) Completed
 Add Attachment
Brian Berkley Apr 15, 2011 11:20 AM 
****This is an email****
David,

Sophos has investigated the files and done some
changes to the definitions.

Could you attempt to run your program and let me
know the results?

Thanks,
 Add Attachment
Brian Berkley Apr 15, 2011 09:34 AM 
****This is an email****
David,

Sophos has investigated the files and done some
changes to the definitions.

Could you attempt to run your program and let me
know the results?

Thanks,
 Add Attachment
Brian Berkley Apr 14, 2011 09:47 AM 
Uploaded samples to Sophos
 Add Attachment
Brian Berkley Apr 07, 2011 09:27 AM 
****This is an email****
I tried to exclude it from scanning the locally on
the client.  I tried authorizing in the policy on
the EM Console server.  The only way to run this
application is to turn off on-access scanning,
launch the application, then turn on-access
scanning back on.

They aren't malicious, its the Oxford English
Dictionary electronic version, and it was working
before Tuesday and had been working fine.  When
the app is launched, it expands compressed files
to the %SYSTEMROOT%\Temp directory.  Those
expanded files are triggering the Sus\UnkPack-C rule.

"C:\WINDOWS\Temp\~CRF0251.TMP" has been identified
as suspicious file of type 'Sus/UnkPack-C'.
If you are unsure whether the file can be
authorized, please send a sample to Sophos.

There are several ~CRF*.TMP files created, and
authorizing all of them in the EM Console doesn't
work.

When the faculty member is on campus, I will
collect some of the files and upload them.



Windows XP Pro SP3
Sophos is latest version 9.5.5
Add Attachment
Brian Berkley Apr 07, 2011 09:26 AM 
****This is an email****
Hello, Brian.

Thank you for contacting Sophos Technical Support.

If by "ignore", you mean that you tried to exclude
the files from scanning, that will not work for
suspicious detections, as this is HIPS
functionality (you can only exclude files from
on-access or scheduled scanning. To be clear,
non-HIPS detected files in these sections.). When
you tried to authorize the files, did you do so in
the Sophos client itself or in the anti-virus and
HIPS policy in the console? It could be that it
did not properly propagate from the policy to the
client, or then the local settings were soon
overwritten by the policy.

To that end, I would definitely suggest making the
change to a test policy and then applying said
policy to a test group where you put the affected
client, then also making the change locally, that
way you're sure that these settings are sticking.

What you should also do is send a sample of the
files in question to our labs for analysis, that
way we can confirm whether or not they're actually
malicious. Instructions in the KBA below:

http://www.sophos.com/support/knowledgebase/article/11490.html


Should you require further support, please provide
us with your Sophos license number.

Please also let me know the Sophos and operating
system versions.
 Add Attachment
Brian Berkley Apr 06, 2011 03:47 PM 
submitted ticket to sophos support
 Add Attachment
Nathan Higginbotham Apr 06, 2011 11:32 AM 
Task reassigned to Brian Berkley.
 Add Attachment
Nathan Higginbotham Apr 06, 2011 11:32 AM 
I cannot get sophos to stop blocking this program.
It needs an exception but the program itself is
not the problem. It is the temp files the program
uses to run.
 Add Attachment
Nathan Higginbotham Apr 06, 2011 10:04 AM 
Task reassigned to Nathan Higginbotham.
 Add Attachment
Nicole Crane Apr 06, 2011 09:54 AM 
Please call him at to meet up with him 541-740-
7997
 Add Attachment
Nicole Crane Apr 06, 2011 09:53 AM 
Priority changed from (3) Priority to (2) High Priority.
 Add Attachment
Nicole Crane Apr 06, 2011 09:53 AM 
Todor helped about month and half ago and he 
added admin rights to fix the problem. Can we do 
that again?
 Add Attachment
Nicole Crane Apr 06, 2011 09:50 AM 
He had software that we came and loaded for him 
because we had to get into admin access. It had 
been working fine. Now when he clicks on the 
desktop icon something pops up saying its a 
suspisious file and it won't allow him to use it.
Add Attachment