Malware Infection - No Action

Hi,

I recently upgraded FSPM to 12.40 installed over Ubuntu 14.04.

All agents are composed of Windows systems both client and servers.

Now, there are multiple computers with infection such as Trojan:W97M/MaliciousMacro.GEN, Trojan-Downloader:W97M/Locky.I, etc.) which F-secure did not perform any action (quite alarming).

So, I revisited the settings and it has the ff. Action on infection:

1. Quarantine Automatically

2. Report Only

I did observed the behavior of this incident and I noticed that most of the workstations which F-secure did not do anything where found in client's mailbox.

I changed Report Only to Rename automatically. Will this ensure that F-secure will do something in case the default action is false? Can you guys share your best practice to ensure that F-secure will not ignore this kind of alerts moving forward.

Find more posts tagged with

Comments

Thoren

To follow-up, how can we ensure that the access to file be rejected even if the action is only report only? Most importantly that action was set to "None". Is this some sort of background process? is there any way to validate the claim?

Also, for the recommendation on the sample malware below, I set the action to "delete automatically" but still the same. I changed the settings under Manual scanning>Scanning Options>File Scanning>Actions,ADvanced>Actions table. (by the way, action on infection was set to Quarantine Automatically)

Do I have to do the same in Real-time Protection Settings?

MJ-perComp

First of all: evrything is fine.

An "infected system" and a file "found to contain malware" is not the same. From a server's point of view all files on the shares is "data" that it has to provide to a client, regardless of the filetype. The server itself is not infected.
If that malicious file is found in the servers "system" area, that is a different thing, be cause you would like to know how it got there.

Now your F-Secure reports a malware. That file containing the malware will be blocked by F-Secure, regardless of any Action-settings. So even "Report Only" will not allow access to that file.

Lets have a look at the actual infections you mentioned:

1) "Trojan:W97M/MaliciousMacro.GEN": it says Generic macro. The only option is to delete the Document containing that macro. There is no reliable way to remove the dangerous part.
2) "Trojan-Downloader:W97M/Locky.I": it Says Word97Macro (W97M) Locky. Again A Word Macro. Same thing appiles. Delete the file.

Why does F-Secure not do that automatically?
The rule is if an infected file is new (just written, scan on close) the file will be quarantined. If the file appears to be existing already only "report and deny access" will be performed.

F-Secure works out of the box. So best advise is "Do not touch the settings", understand the report and act accordingly.

my2ct