The file '
tmp.edb' and other
'.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.
This alert may also occur when behavior monitoring is enabled.
File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.
When the location is investigated, the file often no longer exists.
First seen in
Sophos Endpoint Security and Control 9.7
Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.
These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. (i.e. In this case it may be considered as a false positive.)
What To Do
Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.