The file tmp.edb may generate a detection on Windows Sophos Endpoints

  • Artikel-ID: 118310
  • Aktualisiert: 09 Okt 2013

Issue

The file 'tmp.edb' and other '.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.

This alert may also occur when behavior monitoring is enabled.

Example

File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:

%windir%\Security\Database
%windir%\SoftwareDistribution\Datastore\Logs

First seen in

Sophos Endpoint Security and Control 9.7

Cause

Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.

These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. 

What To Do

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

http://support.microsoft.com/kb/822158

 
Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend

Anmerkungen