I run Dropbox and Seagate Dashbox for backups. Clean endpoint today and for first time showing 44,000 threats which are 99% located within backups, and appear to refer to documents which are otherwise known to me and on my hard drive innocent of threats. I would appreciate comments on this, so I understand. Do backups such as mine normally produce such entries in endpoint?
Many thanks
I would say these are false positives. I assume the original files are not infected.
What does it report about those files? I assume it is only one or several things it reports.
Thank you. There really could be no other answer, but it was worth asking.
99% of the threats refer to a ‘backup’, some to a specific backup of the two I have mentioned, and then on that line to specific documents, always in multiples of the same.
Why is CIS picking these up, and why now when it didn’t before?
Is it only CCE who picks up those files or does CIS also pick it up?
Can you post a screenshot of the results page of CCE? I want to see if it is a detection by signature or by the heuristics part.
I attach a .gif of the results today.
Only 29 threats. Why these picked up I have no idea. Were 43,000+ yesterday
No such threats ever shown in CCE Smart Scan, and in CIS
[attachment deleted by admin]
It seems to think it may be a rootkit. May be the back up program when it is making back ups gets flagged.
If you feel like testing could let CCE run a full system scan or only the back up locations when you absolutely know for sure the back up program is not doing anything. It would be interesting to see whether it is the activity or how back ups are stored causing these results.
Stopped Seagate Dashboard (Computer/manage/services), so showing start: Dropbox not run, ran CCE and after 8 minutes, and also at 49%, showed same 29 threats.
Apparently there is something in how these backups are stored that ticks off something in the rootkit detection of CCE. Sometimes security programs may respond to certain low level behaviour of programs. For example Comodo Time Machine modifies the master boot record which may be flagged as rootkit like behaviour.
We know your system is otherwise clean so there is no reason to worry about CCE flagging it as rootkit files.
May be other scanners may pick up on it also. I could imagine Hitman Pro or gmer (when letting it scan you c drive) to also flag it.
You seem to have nailed it.
But aside from that any wider concerns out of this for CCE and CIS?
I see no reasons for concern. It is a false positive and some other scanners might pick up on it in a similar type of alert.