The file tmp.edb may generate a detection on Windows Sophos Endpoints

  • N.º del artículo: 118310
  • Actualizado: 09 oct 2013

Issue

The file 'tmp.edb' and other '.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.

This alert may also occur when behavior monitoring is enabled.

Example

File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:

%windir%\Security\Database
%windir%\SoftwareDistribution\Datastore\Logs

First seen in

Sophos Endpoint Security and Control 9.7

Cause

Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.

These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. 

What To Do

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

http://support.microsoft.com/kb/822158

 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios