Collecting samples blocked by on-access scanning

  • Article ID: 17327
  • Rating:
  • 17 customers rated this article 2.8 out of 6
  • Updated: 14 Jul 2014

When attempting to submit a sample of a detected item the on-access scanner will prevent it from being sent. Errors such as 'access denied' or 'the file contains no data' may be seen when attempting to a submit a sample.

This article explains the process for submitting samples detected, and hence blocked, by the on-access (real-time) scanner.

Check the malware description in the Sophos Threat Center. If the malware type is a 'W32 executable file virus' or the recovery instructions point to instructions for disinfecting pe viruses follow these instructions to disinfect the file.

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux

Understand what scenario you have

The reason for obtaining the sample must be identified from one of the following scenarios:

If the detected file is believed to be a false positive

The sample should be sent to the Sophos Labs for analysis where they will be able to confirm or deny the detection. Be careful when submitting samples of detected malware, taking advice from the Sophos Threat Center first.

Use the steps below to obtain the sample for Windows, Mac, or Linux operating systems.

If the detected file is returning after cleanup

It is unlikely that a sample of this file is required. Use the Sophos Source of Infection tool to see what is dropping the file. This can be used to monitor a location for dropped files from local processes or remote computers.

The SmaRT guide is a great way to get help and understand what to do when dealing with malware - whether an administrator or an end-user.

If the detected file is failing to cleanup

If an error message is displayed when running cleanup, use the steps below to obtain the sample for Windows, Mac, or Linux operating systems.

How to obtain a file sample

The safest way to collect a file that requires investigation is to use the Sophos Anti-Virus scanner to move and rename it. Using this method, a safer exclusion can be added which allows submission via the Sophos website.

Windows 2000 (and above)

  1. Open Sophos Endpoint Security and Control.
  2. Click 'Configure anti-virus and HIPS'
  3. Click 'Right-click scanning'
  4. Go to the 'Cleanup' tab
  5. Set the Viruses/spyware action to 'Move to:'
    • Defaults:
    • Windows Vista and above: C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
    • Windows 2000/XP/2003: C:\Documents and settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
  6. Press OK
  7. Go to the file concerned
  8. Right-click on the file and click 'Scan with Sophos Anti-Virus'
  9. Wait for the scan to finish.
  10. The file(s) can now be uploaded to the Sophos Labs sample submission site.

Note:

  • Detected files will be moved to the INFECTED folder and the file extension renamed to prevent them from being accidentally launched. This folder will be marked as hidden. You may need to make it visible
  • Once the sample has been submitted successfully you should restore your antivirus configuration to the original state.

Mac OS X 10.6 (and above)

  1. Open a Terminal
  2. Run the following command substituting the path to the detected file as required:
    sweep [path to file] [path to another file] -rename
  3. This will rename the detected file(s) with a .infected extension

Note: The on-access scanner will intercept the file you are attempting to upload via the Sophos website, a temporary on-exclusion exclusion will be required.

  1. Click the Sophos Anti-Virus shield | Open Preferences | On-access Scanning | Excluded Items
  2. Click the '+' and browse to the renamed file(s) to add them to exclusion list
  3. The file(s) can now be uploaded to the Sophos Labs sample submission site.

Linux

These instructions assume that the Sophos Anti-Virus web interface has been installed and that the computer is using a desktop environment.

  1. Open a Terminal
  2. Run the following command substituting the path to the detected file as required
    savscan [path to file] [path to another file] -rename
  3. This will rename the detected file(s) with a .infected extension

Note: The on-access scanner will intercept the file you are attempting to upload via the Sophos website, a temporary on-exclusion exclusion will be required.

  1. In a web browser connect to http://localhost:8081
  2. Click 'Exclusions'.
  3. Provide the web interface username and password when prompted.
  4. Within the field 'Files or directories (with or without wildcards)' enter the following exclusion:
    *.infected
  5. The file(s) can now be uploaded to SophosLabs sample submission site.

Uploading sample file(s) via the Sophos website

The web submission channel uses HTTPS and encryption and therefore complies with regulations for secure data exchange.

  1. In a web browser go to https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx and complete the form.
    Note: The more detail that is provided the quicker the Sophos Labs can complete the analysis of the file.
  2. Important: So there is no delay in responding to your sample: In the 'Step 2: Incident details' section 'Why do you want to send this sample?' explain in as much detail as possible why the file is being submitted for analysis.  Review the scenarios presented above as the starting point.
  3. Under 'Associated Log/Rule/Warning' enter the name of the detection, for example Mal/Generic-L
  4. At the bottom of the page click 'Next'.  'Step 3: Submit file' will now appear.
  5. Click 'Choose...' and browse to the moved file that is to be submitted.
  6. Click 'Upload another file' if required.
  7. Click 'Submit' to send the samples to the SophosLabs

What happens next?

If your submission was successfully received, you will initially get an auto-response reply with a unique case reference in the subject line.  If SophosLabs have all of the information required (i.e., they fully understand the problem) they will review the request (e.g., to add/remove detection, or enhance cleanup) and the file sample(s).  Note:  If you need to add more information or ask for an update, you can use the same web form as used previously, however ensure you include the case reference from the original auto-response email in all interaction on the same issue.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments