This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Questions regarding Sophos Central file restore

Hi,

I have a few questions about file restoring process after cleanup by intercept x.

1. How long does it take on average for Sophos Central to restore a single file?

2. What to do if a restored file has been picked up by Sophos as ML/PE-A then allowed but restore failed and been detected again?

3. What is the best way to deploy Intercept X in an environment where a large amount of custom tools is used and manually clicking allow to restore files is becoming a daunting task e.g. 10+ ML/PUA or ML/PE detections on a single developer's machine and there are 50+ developers.

I could not find any answer within the following KBAs: 

https://community.sophos.com/kb/en-us/128136#restore

https://community.sophos.com/kb/en-us/127331

https://community.sophos.com/kb/en-us/127332

https://community.sophos.com/kb/en-us/127376

 

Any useful information other than above KBAs is greatly appreciated.

 

po



This thread was automatically locked due to age.
Parents
  • Hello-

    File Restore takes only a few minutes after the endpoint has been able to download the configuration update from Sophos (this happens automatically every 5 minutes or so; or if you click Update Now from the Sophos Endpoint UI). It shouldn't take more than half an hour at the most, assuming that the updated configuration was downloaded to the machine, and applied without errors.

    If restoration fails, then you would have to check the items mentioned in https://community.sophos.com/kb/en-us/127376 to see why restore fails, etc.

    My question for you is - have you tried whitelisting via Path instead of hash value? If you plan to deploy Intercept X to your users, it should be possible to whitelist via Path, and have the tools your users use to save and execute files on the whitelisted path, in theory.

     

    Thanks,

    Regards, 

     
    DianneY
    Technical Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  •  

    DianneY said:

     

    My question for you is - have you tried whitelisting via Path instead of hash value? If you plan to deploy Intercept X to your users, it should be possible to whitelist via Path, and have the tools your users use to save and execute files on the whitelisted path, in theory.

     

    Thanks,

     

     

    The thing is there are so many tools within so many users (hint: development) and it's pratically impossible to ask everyone to put their tools in the same path.

  • Hi  

    If you'll try to whitelist the software through the hash, it will work till the time hash value which you have whitelisted is matching with the software.

    The hash value can be changed after the updated version of the same software. As you have large number of customized development tools, Dianny has suggested this way because any change in the software could lead to the change of the hash value and software again will be detected as ML/PE.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hi  

    If you'll try to whitelist the software through the hash, it will work till the time hash value which you have whitelisted is matching with the software.

    The hash value can be changed after the updated version of the same software. As you have large number of customized development tools, Dianny has suggested this way because any change in the software could lead to the change of the hash value and software again will be detected as ML/PE.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
No Data