Welcome back! Ask questions, get answers, and join our large community of tax professionals.
- Topics
- Training
- Community
- Product Help
- Industry Discussions
- User Groups
- Discover
- Resources
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Intuit Accountants Community
- :
- ProSeries Tax
- :
- ProSeries Tax Discussions
- :
- I am trying to determine if the Sophos is giving a false positive Ransomware detection due to a ProSeries Update.
I am trying to determine if the Sophos is giving a false positive Ransomware detection due to a ProSeries Update.
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
cguise
Level 1
01-15-2024
07:40 AM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
Hello:
Early Saturday morning, we received a notice of a possible ransomware attack originating from our 4 workstations with ProSeries installed. Sophos and our IT Company both believe this to be a false positive. However, out of an abundance of caution, we are looking for confirmation from ProSeries or the Community that these are legitimate files.
Provided below is the list of files that were detected as Ransomware:
Detection Generic.Ransom.X
1*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZNC.xml
Overwritten L0, Read T4096 H4096|^45837|^b5565, Write T5120 H4893|^55318|^b6741 #1,r2,LN
2*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZNC.xml
Opened L4893, Read T5120|100% H4893|^55406|^b6764 #2,w1,LN
3 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MSI.xml
Overwritten L0, Read T4096 H4096|^44589|^b5588, Write T4608 H4507|^49562|^b6129 #3,r4,LN
4 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MSI.xml
Opened L4507, Read T4608|100% H4507|^49697|^b6164 #4,w3,LN
5*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MNO.xml
Overwritten L0, Read T2048 H1554|^18315|^b2178, Write T2048 H1554|^18315|^b2178 #5,r6,LT
6*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023MNO.xml
Opened L1554, Read T2048|100% H1554|^18304|^b2175 #6,w5,LT
7 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMN.xml
Overwritten L0, Read T4096 H4096|^46461|^b5887, Write T12800 H12661|^144551|^b18365 #7,r8,LN
8 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMN.xml
Opened L12661, Read T12800|100% H12661|^144788|^b18427 #8,w7,LN
9 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMI.xml
Overwritten L0, Read T4096 H4096|^47496|^b5623, Write T22528 H22498|^273509|^b32853 #9,r10,LN
10 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMI.xml
Opened L22498, Read T22528|100% H22498|^273578|^b32871 #10,w9,LN
11 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMD.xml
Overwritten L0, Read T4096 H4096|^48003|^b6040, Write T6144 H5707|^67048|^b8321 #11,r12,LN
12 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMD.xml
Opened L5707, Read T6144|100% H5707|^67250|^b8374 #12,w11,LN
13*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMA.xml
Overwritten L0, Read T4096 H4096|^47527|^b5927, Write T11264 H11080|^132998|^b16554 #13,r14,LN
14*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZMA.xml
Opened L11080, Read T11264|100% H11080|^133028|^b16561 #14,w13,LN
15 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZIL.xml
Overwritten L0, Read T4096 H4096|^47648|^b5912, Write T8192 H7734|^91937|^b11364 #15,r16,LN
16 D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZIL.xml
Opened L7734, Read T8192|100% H7734|^91953|^b11368 #16,w15,LN
19*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZHI.xml
Overwritten L0, Read T4096 H4096|^46970|^b5689, Write T7680 H7366|^85832|^b10343 #19,r20,LN
20*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZHI.xml
Opened L7366, Read T7680|100% H7366|^85947|^b10373, Write T7680|100% H7366|^85832|^b10343 #20,w19,LN
29*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZCA.xml
Overwritten L0, Read T4096 H4096|^45954|^b5620, Write T23552 H23209|^267067|^b33281 #29,r30,LN
30*D:\Programs\APPL\ProSeries\ProWin23\FormsAvail\S2023ZCA.xml
Opened L23209, Read T23552|100% H23209|^267463|^b33385, Write T23552|100% H23209|^267067|^b33281 #30,w29,LN
Dropped Files
1 C:\Windows\system32\LogFiles\WMI\SUM.etl
Dropped by [4]
Labels
6 Comments 6
Dusty2
Level 7
01-15-2024
09:09 AM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
I don't use the Multi User version so I can't help there. But I would not mess around on here I would be calling Intuit and escalating this quickly. You don't want to mess around with potential Ransonware issues!!!
Call Intuit IMMEDIATELY!!!
Dusty
itonewbie
Level 15
01-15-2024
10:09 AM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
Sophos is known to have a high rate for false positive detection, if I recall.
Agree with @Dusty2 you'd want to get in touch with Intuit, who may be able to help you and if they determine that it's a false positive, they may even work with Sophos to update their database.
In the meantime, I'd also scan the file(s) identified on the VirusTotal website, which would give you consolidated results from multiple scanners: https://www.virustotal.com/gui/home/upload
---------------------------------------------------------------------------------
Still an AllStar
Still an AllStar
cguise
Level 1
01-15-2024
10:40 AM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
Thanks @itonewbie and @Dusty2 I have been trying to contact Intuit all weekend but their support is down which is why I turned to the community. So my plan is to call them first thing tomorrow when they open after the holiday. If anyone has a live human I can contact at ProSeries before Tuesday I would love to have the number or e-mail.
Again 95% sure this is a false positive from Sophos, but I would like to be 100% certain.
I did find these older posts that suggest the presence of false positives, but nothing for 2023.
Dusty2
Level 7
01-15-2024
01:11 PM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
To date I have not (thankfully) had Ransomware on any of my PC's. I do run Malwarebytes regularly (free version). Checking their site it says it will find Ransomware before it actives. I don't know if it does or not.
I would suggest downloading it and running it on and PC's and Servers to make sure.
We have some VERY strict rules on E-mail (that is how most Ransomware is installed on PC's). NO ONE is allowed to access their personal e-mail on any of our equipment. All company email comes to one of 2 email accounts and both of us will not open ANYTHING if we are not expecting an email from that client. If we think it could be legitimate we will call the individual to assure that they sent it.
Dusty
PATAX
Level 15
01-15-2024
02:04 PM
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report Inappropriate Content
@Dusty2 per cpa instructor at seminar, vast majority of viruses/malware,etc comes from emails. Also, good idea to only use business computer for business purposes only, and only go on business websites that are reliable.
