Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Where to find removed files?

HI,

Intercept X has removed a file. I whant to send it to Sophos Labs for analyzing. Where can I find it ? I do not whant to release it to get hold of it ;-) 

Parents
  • Hi,

    Are you wanted it analyzed because you think it is a false positive detection?

    The reason I ask, is you shouldn't restore a file unless you are confident it isn't malicious. When you restore it, it is basically whitelisted for your environment. 

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • No, that's why I asked. I don't want to restore it to the default location. I was just thinking if there is maybe a quarantine folder where all those files are kept. The file that we are talking about is a inf file and I am wondering what is in that file. I need to examine it because the fle name indicates it is indeed malicious. The name is "fuckgothin.inf". Google search led me to believe it is pulling stuff from an IP address. 

  • Quarantined items are moved from SophosClean to the SafeStore which houses the unwanted/suspect data in an encrypted format. Files only can be restored/decrypted to their default location.

    There are two SafeStore quarantine folders:

    • Program Data\Sophos\SafeStore
    • Program Data\Sophos\Sophos Anti-Virus\SafeStore

    If you have Intercept X with EDR, you can do analysis also directly via Central. Maybe you just start a trial version if possible.

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • Intrusus is correct - the Safestore will have the file in an encrypted format - if it is under 75 MB - files larger than that are deleted instead of stored. 

    In this case, because it was blocked and cleaned - I would highly discourage restoring it. 

    You won't be able to read the file inside the safestore (because of the encryption) and we do that to prevent it from ever executing or being used by other elements on the system.

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • ok, but the big downside of this procedure is, that false positives can never be identified, except we pay for EDR. Nice business modell ;-) 

Reply Children
No Data