CryptoGuard Ransomware Detection

Hi kheir fernandez,

CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the detected process's execution.

You have to differentiate in this case between CryptoGuard detecting local encryption activities and detecting remotely executed encryption activities. With a local detection you always have the full context (what application/process encrypted the files) and you can create exclusion that would prevent future detections for that application (see: https://support.sophos.com/support/s/article/KB-000039184). 

If however a remote system is encrypting the files then you have limited visibility (you only see which system (IP address) encrypted which files leading up to the detection. So Cryptoguard reacts with preventing write access for the offending IP address. A new exclusion type, which is available for computers in the EAP, will allow you to specify folders that are not to be monitored for ransomware activities could help if it is a remote detection. More details about the EAP can be found here: New Endpoint/Server Protection Features Early Access Program - Announcements - Endpoint EAP - Sophos Community

Another good read about Cryptoguard is the following KBA: https://support.sophos.com/support/s/article/KB-000036287

Regards,
Marcel

Hi kheir fernandez,

CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the detected process's execution.

You have to differentiate in this case between CryptoGuard detecting local encryption activities and detecting remotely executed encryption activities. With a local detection you always have the full context (what application/process encrypted the files) and you can create exclusion that would prevent future detections for that application (see: https://support.sophos.com/support/s/article/KB-000039184). 

If however a remote system is encrypting the files then you have limited visibility (you only see which system (IP address) encrypted which files leading up to the detection. So Cryptoguard reacts with preventing write access for the offending IP address. A new exclusion type, which is available for computers in the EAP, will allow you to specify folders that are not to be monitored for ransomware activities could help if it is a remote detection. More details about the EAP can be found here: New Endpoint/Server Protection Features Early Access Program - Announcements - Endpoint EAP - Sophos Community

Another good read about Cryptoguard is the following KBA: https://support.sophos.com/support/s/article/KB-000036287

Regards,
Marcel

Thanks for the info Marcel,

It is indeed a remote detection as the logs reports the IP address of the machine. So, this new exclusion type is still in EAP, do you know when this feature will become standard? And do you know if any other type of exclusion will be available - it would be nice if we have an option to exclude IP addresses as our remote workstation's IP addresses are reserved addresses.

Regards,

Kheir

Hi kheir fernandez,

I do not have any details concerning when features move from the EAP to the standard release. But this EAP is open for anyone so you could give it a try by adding a specific server to the EAP.

I have not seen anything around IP address exceptions, so this would be something for: https://ideas.sophos.com.

Regards,
Marcel