What is this alert, how can we fix this.

  • uid: 11153a4b-eb17-3ea8-e686-4e277003c638
  • family_id: 6eb3ff26-0e34-15a1-0f48-11e273784787
  • process_alias_path: $windows\explorer.exe
  • process_name: Windows Explorer
  • process_version: 10
  • thumbprint: 20f00333e19359ac81a0ac9dd49f7dd31533f3379a6e57f78bada98b0b7c64cf
  • details: Mitigation CryptoGuard V5 Timestamp 2022-11-03T14:03:05 Platform 10.0.19044/x64 v37 06_8e- PID 11152 Enabled 00052E3000800004 Application C:\Windows\explorer.exe Created 2022-10-17T04:21:29 Modified 2022-10-17T04:21:29 Description Windows Explorer 10 Filename C:\Windows\explorer.exe Detection Generic.Ransom.C


Added TAGs
[edited by: Qoosh at 11:08 PM (GMT -8) on 12 Dec 2022]
Parents
  • Hi Ashish,

    You'll find more details on what occurred on the device leading up to this detection from the Windows Event viewer. I suggest looking for Event ID 911, which will help us better understand why this detection occurred. 

    In most cases, there is a script or application that launches explorer.exe to perform some further operations.

    As this detection states "Generic.Ransom.C" there is also a possibility that this could have been a false positive. I suggest determining if any specific actions were taken on the device when the detection occurred. This could be something like opening a specific program or using a plugin to perform certain actions when saving files.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Ashish,

    You'll find more details on what occurred on the device leading up to this detection from the Windows Event viewer. I suggest looking for Event ID 911, which will help us better understand why this detection occurred. 

    In most cases, there is a script or application that launches explorer.exe to perform some further operations.

    As this detection states "Generic.Ransom.C" there is also a possibility that this could have been a false positive. I suggest determining if any specific actions were taken on the device when the detection occurred. This could be something like opening a specific program or using a plugin to perform certain actions when saving files.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data