Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 19 subscribers
  • Views 5509 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Feature Request - Sophos Endpoint Protection - Enhanced Mail Alerts

user_xxyy

Hi!

I'd like to suggest adding some more details in the email sent to the security/network staff.

For example it would be helpful to have File creation date+time, creator, SHA1, SHA256 and SSDEEP information about the file that just got removed.

Just because it helps understanding if those .exe files were really malicious or not. Without that information our experience is a bad starting point to analyse a problem.

Looking forward to your answer.

Best regards

User XXYY

:56439


This thread was automatically locked due to age.
Parents
  • 0

    Hello User XXYY,

    I'm curious in what way this information could help? You could perhaps conjecture that it matches another detection from a different time and/or endpoint. But how would it tell you whether those files were really malicious or not? At best you'd find the SSDEEP hash (extremely unlikely for HSA256) on a whitelist (which nevertheless wouldn't prove it has been clean).

    the file that just got removed

    Delete is not a recommended setting anyway. Leaves automatic cleanup which would remove a file which is considered as malicious to the core. And with the file itself removed this information likely is at once the starting and the final point.

    Christian

    :56440
Reply
  • 0

    Hello User XXYY,

    I'm curious in what way this information could help? You could perhaps conjecture that it matches another detection from a different time and/or endpoint. But how would it tell you whether those files were really malicious or not? At best you'd find the SSDEEP hash (extremely unlikely for HSA256) on a whitelist (which nevertheless wouldn't prove it has been clean).

    the file that just got removed

    Delete is not a recommended setting anyway. Leaves automatic cleanup which would remove a file which is considered as malicious to the core. And with the file itself removed this information likely is at once the starting and the final point.

    Christian

    :56440
Children
No Data
Unfiltered HTML