Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Intercept X has removed a file. I whant to send it to Sophos Labs for analyzing. Where can I find it ? I do not whant to release it to get hold of it ;-)
When an item is detected, a Sophos internal utility called Sophos Clean is used to cleanup the item. Customers using Sophos Central have the ability to restore files after they have been cleaned up…
When an item is detected, a Sophos internal utility called Sophos Clean is used to cleanup the item. Customers using Sophos Central have the ability to restore files after they have been cleaned up. This feature is designed to allow the restoration of files and their associated permissions, registry keys e.t.c. after they have been incorrectly detected as malware and removed. BUT not all detected files will have an option to be restored, it is predominantly Portable Executable (PE) files that can be restored, this includes for example .exe, .dll and .sys files, whereas documents and scripts like .doc, .xls and .js aren't able to be restored.
To restore a file after a detection, please do the following:
Please give feedback if this helped you out!
IntrususSophos Certified Engineer | Sophos Certified Technician
private lab: XG firewall with SFOS 18.0.3 MR-3Intercept X Advanced (for Server) with EDR EAP latest If a post solves your question use the 'Verify Answer' link
Are you wanted it analyzed because you think it is a false positive detection?
The reason I ask, is you shouldn't restore a file unless you are confident it isn't malicious. When you restore it, it is basically whitelisted for your environment.
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
No, that's why I asked. I don't want to restore it to the default location. I was just thinking if there is maybe a quarantine folder where all those files are kept. The file that we are talking about is a inf file and I am wondering what is in that file. I need to examine it because the fle name indicates it is indeed malicious. The name is "fuckgothin.inf". Google search led me to believe it is pulling stuff from an IP address.
Quarantined items are moved from SophosClean to the SafeStore which houses the unwanted/suspect data in an encrypted format. Files only can be restored/decrypted to their default location.
There are two SafeStore quarantine folders:
If you have Intercept X with EDR, you can do analysis also directly via Central. Maybe you just start a trial version if possible.
Intrusus is correct - the Safestore will have the file in an encrypted format - if it is under 75 MB - files larger than that are deleted instead of stored.
In this case, because it was blocked and cleaned - I would highly discourage restoring it.
You won't be able to read the file inside the safestore (because of the encryption) and we do that to prevent it from ever executing or being used by other elements on the system.
yes, I know how to release files, but the big question is, if it is safe to release a file. How am I supposed to know if file is false positive without having the chance to send it to Sophos Labs for example. On the other hand in my case it is an inf file. So what you are saying is, that sophos clean is removing it and it is gone for good? What if theis was an false positive? Bad luck?
Sorry, then I misunderstood you
In these circumstances, Sophos suggests using the files SHA-256 hash. For Sophos Central customers, locating the SHA-256 hash of a detected or suspicious file is normally easy, for details on how to do this please see Sophos Central: How to locate a files unique SHA-256 hash. Then put this Hash into VirusTotal to check if other vendors have registered it as malware.
If the hash is unknown, we have here an official way when a file gets detected by central managed endpoints: If the target file has been detected by the endpoint and put into SafeStore you will need to contact Technical Support for them to process the extraction and submission. I know this can take some time, but it's the safest and only official way at the moment.
ok, but the big downside of this procedure is, that false positives can never be identified, except we pay for EDR. Nice business modell ;-)