This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware detection failed ? (Intercept X Enpoint)

PROBLEM SOLVED: see my Post below

I wanted to test ransomware detection inside a VM (network disconnected).

I tried the Thanos ransomware: the malware was detected while unpacking a zip containing the malware -> ok fine
Then I disabled real-time file scanning (within the endpoint client). However, ransomware detection and all other features were still active. In this configuration I was able to unpack and run the malware. The malware ran for several minutes and then all files were encrypted. There was no alert or other response from Sophos Endpoint Protection.
Why didn't Sophos detect this (old) ransomware? Do features like ransomware detection rely on real-time scanning, or does ransomware detection require the internet?

Has anyone tried to explicitly test the ransomware?

best regards,
Bernd

(I downloaded the malware form "theZoo")

This thread was automatically locked due to age.

Top Replies

Bernd Reuther over 1 year ago in reply to Bernd Reuther +1 suggested

PROBLEM SOLVED! In my test-VM I hade only two regulars files within Desktops/Deocuments/Pictures/... I tested again while having few more files in those directories, in this scenario Sopohs detected the…

Parents

0 Qoosh over 1 year ago

Hi Bernd,

Thanks for reaching out.

Do you know what version of Sophos you have installed? Is this managed from Sophos Central, or do you have a stand-alone version installed?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Bernd Reuther over 1 year ago in reply to Qoosh

Hello Kushal,

it is Intercept X Advanved managed via Sophos Central.

Sophos endpoint says "Core Agent 2022.4.2.1" and Sophos Intercept X 2022.1.3.3

What I have found: the self-help tools in menu "Services" lists everythings as "green", except "Sophos early launch anti-malware" which is not running. I don't know why. All features should be activated.
Is there anyting I should do to active this? If this might be the cause I can do the test again, if I'M able to active this.

best regards,
Bernd
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Bernd Reuther over 1 year ago in reply to Qoosh

Hello Kushal,

it is Intercept X Advanved managed via Sophos Central.

Sophos endpoint says "Core Agent 2022.4.2.1" and Sophos Intercept X 2022.1.3.3

What I have found: the self-help tools in menu "Services" lists everythings as "green", except "Sophos early launch anti-malware" which is not running. I don't know why. All features should be activated.
Is there anyting I should do to active this? If this might be the cause I can do the test again, if I'M able to active this.

best regards,
Bernd
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Bernd Reuther over 1 year ago in reply to Bernd Reuther

https://support.sophos.com/support/s/article/KB-000036446?language=en_US

According to "Sophos Early Launch Anti-Malware" -> "The default status of this driver is stopped. No action is required."
So this shouldn't be the problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 GlennSen over 1 year ago in reply to Bernd Reuther

Hello Bernard,

Thank you for sharing the said information. To further check the situation, can you raise a support case through our support portal and share below details to the case,

* Exact steps you perform to run the malware.
* Sample file of the malware you've used. (In this case, you can zip the sample file and attach it through the case.)

Once created, kindly share with us the case ID so we can monitor the status of the case.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Bernd Reuther over 1 year ago in reply to GlennSen

I registered for the Ticket System. As soon as I receive the activation I'll provide te details (I can provide screen recordings).
Cancel
Vote Up 0 Vote Down

Cancel
0 Bernd Reuther over 1 year ago in reply to GlennSen

So far I have received only standard answers via Ticket, but not an answer to my question according to detecion of Ransomware ...
Cancel
Vote Up 0 Vote Down

Cancel
0 Bernd Reuther over 1 year ago in reply to Bernd Reuther

PROBLEM SOLVED!

In my test-VM I hade only two regulars files within Desktops/Deocuments/Pictures/... I tested again while having few more files in those directories, in this scenario Sopohs detected the ransomware (even when real-time scannig was deactived) and the original files where restored (very quickly and automatically).
I made the test again without network connection and it worked nevertheless.
Cancel
Vote Up +1 Vote Down

Cancel