none
Windows Server 2016

    Question

  • Hi Support, 

    The Windows Server 2016 keeps detecting pagefile.sys as a threat. 

    We have done full and advanced scanning to the server but it cannot clean up the pagefile as it's locked while in use. Our antivirus only scans the files on the system and if files were in <g class="gr_ gr_143 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="143" id="143">pagefile</g>.sys (which exists even without VSC) it might be stuck in running memory but never cleared out.

    Is it advisable to delete the pagefile.sys if we want to delete it manually? It's not impacting any of the programs in the server? If can be deleted, how do we delete it manually because currently it's locked?

    Regards, 

    Nadhrah Nini

     


    Siti.Nadhrah

    Thursday, April 4, 2019 5:44 AM

All replies

  • Pagefile.sys itself isn't a threat. It's possible that this is a false positive but equally plausible that at some point you had a memory resident threat and this was paged out to the file.You might want to speak with your AV provider..

    One suggestion to delete this...

    1. From the run prompt launch secpol.msc

    2. In the left hand pane select Local Policies\Security Options

    3. In the right hand pane enable Shutdown: Clear Virtual Memory Pagefile

    Then reboot

    MarkC (MSFT)

    Thursday, April 4, 2019 8:59 AM
  • Hi MarkC, 

    I have checked with the AV provider. Our AV recommended getting an advise from the Microsoft regarding this pagefile.sys.

    From the steps, you have given just now, is there any impact if we delete it? If we manage to delete it, is it will prompt back in the future? If Yes, we have to apply the same steps?

    Regards, 

    Nadhrah Nini 


    Siti.Nadhrah

    Thursday, April 4, 2019 9:27 AM
  • That's a disappointing response from your AV provider. They're the ones that are detecting it after all.

    The pagefile is just backing storage for memory that gets paged out to disk. I don't work with AV but it's fair to assume that if that memory happens to contain a byte sequence that AV triggers on then a scan of the page file will result in a detection.

    The steps I suggested are to clear the page file on shutdown. You can actually delete or resize this file and it will be recreated on startup so no long term impact but it will delay the shutdown time (see https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile) so you might not want to leave this permantly enabled. If a subsequent scan reports malware though you'll definitely need to go back to your AV company as this would be an indication that the malware is still active somewhere on your system. 

    Let us know how you get on..

    MarkC (MSFT)


    • Edited by markc(msft) Thursday, April 4, 2019 9:58 AM
    Thursday, April 4, 2019 9:55 AM
  • Hi MarkC, 

    After I apply the steps given, means after rebooting I immediately change the Shutdown: Clear Virtual Memory Pagefile to disable? 



    Siti.Nadhrah


    • Edited by Nadhrah Friday, April 5, 2019 7:06 AM
    Friday, April 5, 2019 7:04 AM
  • Yes that's what I'd do. The idea is to just flush the pagefile of any legacy artefacts but you don't want the overhead of this on every shutdown. If the problem recurs then it's indicative of either a persistent threat or a false positive but you'll definitely need to speak with your AV provider in either case. Hopefully won't come to that though.

    MarkC (MSFT)

    Friday, April 5, 2019 7:34 AM
  • Hi Mark, 

    I did clear virtual memory pagefile however, the AV still detect the pagefile.sys as a threat. We have to refer to our AV to check this kind of issue. 

    Btw, thank you for your help. 

    Regards, 

    Siti Nadhrah


    Siti.Nadhrah

    Friday, April 12, 2019 7:56 AM