0 Replies Latest reply: May 3, 2013 1:50 PM by Valkyrja RSS

    New detections starting with SUSPECT-

    Valkyrja

      Today I received a number of notifications in ePO that a number of files on remote computers had a detection. All began with Suspect-AH! and I have never seen these before. A closer examination revealed that many of them were Word documents that had used multiple "." to break up the name of the document. I know that naming items in that fashion can be a flag but not a sole reason for deleting a file.

       

      The product is VirusScan 8.8.0.849 with DAT 7063.0000. The scan engine is 5400.1158. I have not applied Patch 3 due to the fact that I do not have Windows 8 machines present. Artemis Sensitivity level: Medium.

       

      The systems in question are Windows XPSP3 and Windows 7SP1 computers. All workstations, no servers.

       

      An example:

      \Documents and Settings\(%USERNAME%)\Local Settings\Temporary Internet Files\Content.Outlook\(%RANDOM%)\An.eaxmple.doc2010.doc

       

      I replaced parts of the path with appropriate items to relay their import but hide personal details.

       

      In ePO:

      Threat Name:Suspect-AH!299E2451731C
      Threat Type:Trojan
      Action Taken:Deleted
      Threat Handled:true

       

      I did a search for Suspect-AH and did not find anything. Is this how Artemis files are being named now?