QUESTION: Does anyone see false positives for Cryptoguard on MS Word for macOS?
DETAILS: macOS 10.15
Using Sophos Central, we have a single user who has had Cryptoguard detections twice within four weeks on MS Word.app:
"CryptoGuard detected ransomware in ∕Applications∕Microsoft Word.app∕Contents∕MacOS∕Microsoft Word"
Each time, there were a number of .doc and .docx documents open.
The first time, there was a full Threat Analysis uploaded and it seemed like it could have been legitimate as there were some email attachments in the mix, but it's difficult for me to say as I'm not the technician who ended up with the computer in front of me.
At that time the computer was erased and had the OS and applications reinstalled and user was counseled to delete the suspect attachments. Scanned clean.
This time, same detection on Word, but no Threat Analysis was uploaded so there's very little data for me to go on.
User has restarted the computer, the computer has completed a scan, and the detection did not recur (24 hours ago now).
I'm reluctant to click the box to Exclude the Detection ID without some more definitive indicators that this is a false positive.
This thread was automatically locked due to age.