This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard Was Detected

Hello,

A part of the alert that we receieve from Sophos says "What was detected: CryptoGuard" Isn't CryptoGuard Sophos's Intercept X component? Why does it say CrytoGuard was detected? Detecting its own product as malware?

Please throw some light on it.

This thread was automatically locked due to age.

Parents

0 jak over 5 years ago

Are you sure it's not a Crypoguard detection? If so, you will have a 911 event ID in the application event log.

The Event list at the endpoint would also reference this.

C:\ProgramData\HitmanPro.Alert\Logs\sophos.log
should also be useful.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 G33k over 5 years ago in reply to jak

Hello Jak,

This is the alert that we received

What happened: We detected ransomware trying to encrypt files.

Where it happened: ---

Path: ∕Applications∕Adobe Photoshop CC 2017∕Adobe Photoshop CC 2017.app∕Contents∕MacOS∕node

What was detected: CryptoGuard

User associated with device: ---

How severe it is: High

As it clearly says, CRYPTOGUARD was detected. Why does it say CryptoGuard was detected? What is CryptoGuard? Isn't it an Intercept X component?

Also, there are 100s of alerts over the week. Do you mean I should login into each of the PC and check the 911 event? That's ridiculous. Is there any way I can determine its a false positive without having to reach the user and get the logs. We manage 1000s of endpoints. Its not possible to request SDU everytime I get an alert.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 G33k over 5 years ago in reply to jak

Hello Jak,

This is the alert that we received

What happened: We detected ransomware trying to encrypt files.

Where it happened: ---

Path: ∕Applications∕Adobe Photoshop CC 2017∕Adobe Photoshop CC 2017.app∕Contents∕MacOS∕node

What was detected: CryptoGuard

User associated with device: ---

How severe it is: High

As it clearly says, CRYPTOGUARD was detected. Why does it say CryptoGuard was detected? What is CryptoGuard? Isn't it an Intercept X component?

Also, there are 100s of alerts over the week. Do you mean I should login into each of the PC and check the 911 event? That's ridiculous. Is there any way I can determine its a false positive without having to reach the user and get the logs. We manage 1000s of endpoints. Its not possible to request SDU everytime I get an alert.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jak over 5 years ago in reply to G33k

Cryptoguard is a component of Intercept X to prevent Ransomware. I.e. a malicious process encrypting your important files.

I can only assume that maybe there is some batch process taking place which is updating existing files at a rate that looks malicious.

I think you'll have to open a ticket for this to understand why. I'm guessing you're seeing thins just on Macs?

Regards,
Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 G33k over 5 years ago in reply to jak

Yes! I say, almost only on Macs. What do you think is happening? Do we have to check the logs each time we get an alert?
Cancel
Vote Up 0 Vote Down

Cancel
0 G33k over 5 years ago in reply to jak

Also, why does the alert notification say "What was detected: CryptoGuard" What does it mean? If the application is detected as ransomware, why does it tag CryptoGuard as ransomware?
Cancel
Vote Up 0 Vote Down

Cancel
0 Barb@Sophos over 5 years ago in reply to G33k

Hello G33k,

That means that Cryptoguard detected ransomware activity. You can find more info in the path provided (looks like an Adobe app).

Please follow these articles for next steps:
CryptoGuard Ransomware Protection
To find more details about a detection, see CryptoGuard detections on Mac OS X platforms

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel