Yes, confirmed as a false positive. I never did get through to their support last night, waited on hold for over an hour. I ended up just excluding the winlogon.exe to get us back up and running.
Thanks all and enjoy your Labor Day (if you’re into that sort of thing) ☺ From: [email protected] [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Sunday, September 04, 2016 10:58 AM To: [email protected] Subject: Re: [NTSysADM] RE: Outbreak False positive confirmed by Sophos Support this morning. Here is a KB they sent me. https://community.sophos.com/kb/en-us/125000 On Sun, Sep 4, 2016 at 8:53 AM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: Is it a real outbreak? Everything I can find about that name is really old. Bad defs from Sophos resulting in false positives? On Sep 4, 2016 7:34 AM, "Beard, Julius" <[email protected]<mailto:[email protected]>> wrote: Yep, we’re seeing the same on a number of machines running Sophos. I see they updated their KB article in Threat Center last night, but now it goes to a 404 page. You get any response from them? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kelsey, John Sent: Sunday, September 4, 2016 12:16 AM To: '[email protected]<mailto:[email protected]>' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Outbreak We’re seeing a massive outbreak of Troj-FarFli-CT tonight, affecting winlogon.exe. Sophos doing a poor job of stopping it so far. Anyone else seeing similar? Tons of our VMs are getting infected. On hold for over 30 minutes waiting for Sophos support right now. *************************************** John C. Kelsey Penn Highlands Healthcare •: 814.375.3073<tel:814.375.3073> • : 814.375.4005<tel:814.375.4005> •: [email protected]<mailto:[email protected]> *************************************** [cid:[email protected]] This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This email and any attached files are sensitive in nature and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of Penn Highlands Healthcare or its affiliates.. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments.
