One of our hosts which is protected by Sophos Intercept X was infected with ransomware.
I've checked Vulnerability Prevention Events in Sophos Console and i found one ransomware event (CryptoGuard) detected two weeks ago which was blocked.
Suspicious file (c:\windows\windebug.exe)
However on History Events for the affected host on Sophos Console there is an event that indicates that 13 days after this ransomware was blocked it was unblocked.
Can anyone explain why this unblocking happened?
Is it possible that some privileged user on affected host had allow execution of a file that cause ransomware infection?
Hi Sophos User2614
To find the root cause of the attack, it will require to check certain logs, event logs and in the central dashboard under threat analysis center you can find out where a malware attack started, how it spread, and which processes or files it has affected. Please check this article for best practices to be followed.