cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Defender 365 detecting malware in a CAB/DVSSP file

Meilink-IT
Level 1

2 weeks ago - last edited 2 weeks ago

Defender for Endpoint is scanning and detecting malware on our Enterprise Vault server (Windows Server 2019, EV 14.1)

Defender detected and quarantined 'VirTool:Win32/Obfuscator.AMB' in file 'Collection69820.CAB->2015\03-18\F\099\F099004C44E1182BB4C66969414A5BF1~27~F371B949~00~1.DVSSP->DOC2015001115376112626-pdf.exe->(RarSfx)->muxtkav->AutoIT_Script->[EmbeddedEnc]'

We have been running with Defender for Endpoint for almost a year and only now it detects this on a file from 2015...

I'm wondering how to handle this? I read somewhere it is not recommended to let any antivirus run in this file location because it might wreck Enterprise Vault. But I also don't want to risk letting that malware exist.

From my knowledge there is also no way to determine which archive/user this file belongs to?

0 Kudos
2 REPLIES 2

Tonaco_pt
Moderator
Moderator
Partner    VIP    Accredited

2 weeks ago

Hi, 

You need to restore the CAB file from backup or quarantine and configure antivirus exclusions use this article for guide: Recommended list of antivirus exclusions for Enterprise Vault

 

0 Kudos

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

Wednesday

Follow the advise from Tonaco.

Not having the proper exclusions will do more harm than good. As for a possible threat in the cab/dvs files, keep in mind that if a user retrieves the item, it will be scanned on the location where it is opened. Provided ofcourse, the user is running an AV solution also. When a retrieved item is opened on a workstation, then the local AV should kick in, and then clean/quarantine or block the item. 

Regards. Gertjan
0 Kudos