CryptoGuard 5:

A new policy option now sets the default action on detection of ransomware to terminate the process. We have kept the option to only isolate a process should you wish to keep using the setting from CryptoGuard 4. 

This new release is a design change in how our ransomware detection works; resulting in Sophos detecting more ransomware families and protecting more file types and sizes. 

The software release to support CryptoGuard 5 has already released; we will be migrating customers over from CryptoGuard v4 to v5 starting in February. As with all of our feature enablement, it will be done in small batches and you can control the change in action via the Sophos Central policy. 

Regards,

Stephen

  • Hi,

    Is there any feature to exclude a range of IP addresses? We have workstations with assigned IP addresses through DHCP that processes files on our file servers. The process includes a combination of encrypting files using GnuPG and deleting files using Windows utility 'sdelete.exe'. This combination seems to be detected as ransomware attack. We have to temporarily disable Sophos CryptoGuard protection for us to be able to process files. I have tried adding the process/programs in the exclusion list i.e. absolute path of the executables. But it does not seem to work.

  • Thanks Stephens, I appreciate your quick response. 

  • Hi Sinan, you are correct that it is a lot more than just the option to terminate processes. However, given the IP that is in the changes we do not have a document the architectural changes that we have made. I can share that:

    * it's faster
    * It catches more complex ransomware attacks
    * We've enhanced exclusions
    * We protect more files than ever before

    This new version has been running in our Early Access Program for a while and we've seen some great results. Thank you for your interest in these changes.

    Regards,

    Stephen

  • Hi Stephen, do you have a document that can be shared with the public as to what exactly changes with Cryptogurad 5? I am sure it isn't just terminate/isolate options so understanding and digesting better would be helpful. Thanks in advance.