Forum Discussion

Meilink-IT's avatar
Meilink-IT
Level 1
27 days ago

Defender 365 detecting malware in a CAB/DVSSP file

Defender for Endpoint is scanning and detecting malware on our Enterprise Vault server (Windows Server 2019, EV 14.1)

Defender detected and quarantined 'VirTool:Win32/Obfuscator.AMB' in file 'Collection69820.CAB->2015\03-18\F\099\F099004C44E1182BB4C66969414A5BF1~27~F371B949~00~1.DVSSP->DOC2015001115376112626-pdf.exe->(RarSfx)->muxtkav->AutoIT_Script->[EmbeddedEnc]'

We have been running with Defender for Endpoint for almost a year and only now it detects this on a file from 2015...

I'm wondering how to handle this? I read somewhere it is not recommended to let any antivirus run in this file location because it might wreck Enterprise Vault. But I also don't want to risk letting that malware exist.

From my knowledge there is also no way to determine which archive/user this file belongs to?

2 Replies

Sort By
  • GertjanA's avatar
    GertjanA
    Moderator
    20 days ago

    Follow the advise from Tonaco.

    Not having the proper exclusions will do more harm than good. As for a possible threat in the cab/dvs files, keep in mind that if a user retrieves the item, it will be scanned on the location where it is opened. Provided ofcourse, the user is running an AV solution also. When a retrieved item is opened on a workstation, then the local AV should kick in, and then clean/quarantine or block the item.