The file tmp.edb may generate a detection on Windows Sophos Endpoints

  • Article ID: 118310
  • Rating:
  • 19 customers rated this article 3.7 out of 6
  • Updated: 24 Aug 2015


The file 'tmp.edb' and other '.edb' files generate an unexpected detection. The '.edb' is not included in the default on-access scanner extension list.

This alert may also occur when behavior monitoring is enabled.


File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:


First seen in
Sophos Endpoint Security and Control 9.7


Windows security database files ('.edb') may be scanned as part of behavior monitoring or in scenarios where the on-access scanner needs to verify the file type is as the filename suffix states. This can occur irrespective of the on-access scanned extensions list.

These files can contain a structure that the on-access scanner may interpret as malicious whilst the file is in transitional state. (i.e. In this case it may be considered as a false positive.)

What To Do

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent