The file tmp.edb may generate a detection on Windows Sophos Endpoints

  • Article ID: 118310
  • Rating:
  • 16 customers rated this article 4.0 out of 6
  • Updated: 22 Dec 2014

Issue

The file 'tmp.edb' and other '.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.

This alert may also occur when behavior monitoring is enabled.

Example

File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:

%windir%\Security\Database
%windir%\SoftwareDistribution\Datastore\Logs

First seen in

Sophos Endpoint Security and Control 9.7

Cause

Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.

These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. (i.e. In this case it may be considered as a false positive.)

What To Do

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

http://support.microsoft.com/kb/822158

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments