Cloud AV Question

i was wondering why when someone gets a cloud av alert, that a virus is found, they have to click the clean button multiple times. usually its 3 times
here is a good example

Can you tell us at what point in time this occurs?


Sorry for the confusion. I meant to say at what point in the clip?

yes thats what i put, 6:45 into the video and so on

Dohoh… where was my brain when I wrote my previous reply… :smiley:

I am not 100% about but i think it needs to erase in memory on disk and memory preload… I know Ronny has explained this in the past but can’t find it.

And sometimes first an autosandbox, then AV alert for the same file & after clicking clean, D+ alert for the same file. I dont understand if the file is cleaned by the AV then howcome D+ alert appears for the same file. Does this mean though clicked on clean, AV may not be able to clean the file? And why all the things autosandbox, AV alert & D+ alert for the file when it is detected by the AV? If its detected by the AV then other things shouldn’t appear. How a file is passed thorugh CIS? I mean which comes after which? whitelist - autosandbox - av - D+ or any other way?


It is probably in the timing of things. I think that the cloud look up took a bit longer so CIS decided to sandbox the file. If the cloud reports back shortly after the sandboxing the virus alert will come after the sandbox alert.

To comment on the D+ alert I need to know what type of alert it is. I can think of the following scenario where the D+ akert would show up in the process. After the file is sandboxed and the AV is starting to remove the file the malware running in the sandbox is triggering something D+ will alert for with sandboxed files.

It may look a bit messy but it is all feasible to me. It surely does not mean the AV cannot handle it. There are just many things happening in a short period of time.