This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware detection failed ? (Intercept X Enpoint)

PROBLEM SOLVED: see my Post below

I wanted to test ransomware detection inside a VM (network disconnected).

I tried the Thanos ransomware: the malware was detected while unpacking a zip containing the malware -> ok fine
Then I disabled real-time file scanning (within the endpoint client). However, ransomware detection and all other features were still active. In this configuration I was able to unpack and run the malware. The malware ran for several minutes and then all files were encrypted. There was no alert or other response from Sophos Endpoint Protection.
Why didn't Sophos detect this (old) ransomware? Do features like ransomware detection rely on real-time scanning, or does ransomware detection require the internet?


Has anyone tried to explicitly test the ransomware?

best regards,
Bernd

(I downloaded the malware form "theZoo")



This thread was automatically locked due to age.
Parents
  • Hi Bernd,

    Thanks for reaching out. 

    Do you know what version of Sophos you have installed? Is this managed from Sophos Central, or do you have a stand-alone version installed?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello Kushal,
    it is Intercept X Advanved managed via Sophos Central. 

    Sophos endpoint says "Core Agent 2022.4.2.1" and Sophos Intercept X 2022.1.3.3

    What I have found: the self-help tools in menu "Services" lists everythings as "green", except  "Sophos early launch anti-malware" which is not running. I don't know why. All features should be activated. 
    Is there anyting I should do to active this? If this might be the cause I can do the test again, if I'M able to active this.

    best regards,
    Bernd 


Reply
  • Hello Kushal,
    it is Intercept X Advanved managed via Sophos Central. 

    Sophos endpoint says "Core Agent 2022.4.2.1" and Sophos Intercept X 2022.1.3.3

    What I have found: the self-help tools in menu "Services" lists everythings as "green", except  "Sophos early launch anti-malware" which is not running. I don't know why. All features should be activated. 
    Is there anyting I should do to active this? If this might be the cause I can do the test again, if I'M able to active this.

    best regards,
    Bernd 


Children