The file tmp.edb may generate a detection on Windows Sophos Endpoints

  • Article ID: 118310
  • Rating:
  • 14 customers rated this article 3.4 out of 6
  • Updated: 09 Oct 2013

Issue

The file 'tmp.edb' and other '.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.

This alert may also occur when behavior monitoring is enabled.

Example

File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:

%windir%\Security\Database
%windir%\SoftwareDistribution\Datastore\Logs

First seen in

Sophos Endpoint Security and Control 9.7

Cause

Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.

These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. 

What To Do

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

http://support.microsoft.com/kb/822158

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments