In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos detects suspicious behaviour when you install Windows XP SP3

Issue
Sophos detects suspicious behaviour during installation of Windows XP SP3 by an admin user.

This can occur if you run a full administrative network download from the Microsoft website or via Windows\Microsoft Update.

• For example, an install which is the full download from TechNet (windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe) and is run from a UNC network share.
• The detection is on C\Windows\System32\svchost.exe and is detected as HIPS/FileMod-001
  

Sophos product and version 
Sophos Anti-Virus for Windows 2000+, versions 7.3.x, 7.5.x, 7.6.x
Sophos Client Firewall 1.5.x
Sophos Control Center 2.0.1
Enterprise Console 3.0
Enterprise Console 3.1

Operating system
Windows XP Professional SP2

Technical Information

• XP SP3 has been released for general consumption, i.e. as part of Windows Update, from 6 May: http://support.microsoft.com/kb/322389/
• SophosLabs noted file submissions for svchost.exe, but this is not a process for which whitelisting can or should be applied:

The description for HIPS/FileMod-001 explains that installing or updating software carries an increased likelihood of unwanted detections for HIPS/FileMod-001. For more information, see http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsfilemod001.html.

What to do

For information on management of suspicious alerts, refer to knowledgebase article 23949

When installing software or service packs, Sophos's recommendations, including those in above article 23949, are:

In a managed environment  (Enterprise Console\Sophos Control Center)

1. Using Enterprise Console, create a new policy which disables scanning for suspicious files and HIPS, and apply that policy to the Groups of XP SP2 computers.
2. Revert to regular scanning after completing the update.
3. If installed, turn off Sophos Client Firewall (SCF) for the duration of the upgrade only.

In an unmanaged environment  (i.e., standalone machines, or on networks which used a 'standalone installer package')

1. Disable HIPS scanning, from open Sophos Anti-Virus Window:
   1. Configure on-access scanning > Options (tab) > Deselect 'Scan for suspicious files (HIPS)'.
   2. Click 'Apply' and 'OK'
   3. Configure HIPS runtime behavior analysis > Deselect 'Detect suspicious behavior'
   4. Click 'Apply' and 'OK'
2. Revert to regular scanning options after completing the update.
3. If installed, turn off Sophos Client Firewall (SCF) for the duration of upgrade only.

If you need more information or guidance, then please contact technical support.

• Article ID: 38269
• Created: 7 May 2008
• Last updated: 24 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement