CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

Hi TareK ,

Thank you for reaching out to the Sophos Community Forum. Would you be able to confirm what occurred on the device at the time of this detection? Was the application being used to download or share files?

After finding out what occurred on the device, and if you trust the application, you may apply the exclusions provided in the following article: https://support.sophos.com/support/s/article/KB-000039184?language=en_US

Let me know if this helps.

I think Sophos has to go "back to the drawing board" for this one in combination with whatsapp. We are running into the same issue, it seems that it triggeres onthe ".enc" files created by whatsapp which are indeed encrypted files

c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[2].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[3].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[4].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[1].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[2].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[3].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[4].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[1].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[2].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[3].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[4].enc
c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[5].enc

however it feels like a bit far fetched to let all customers create exclusions , and this is impossible also since then it will be whitelisted on 

Application

PathC:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2310.3.0_x64__cv1g1gvanyjgm\WhatsApp.exe

and if a new version comes out the whitelisting wont be working anymore

Gladys 

Hi Martijn,

I suggest trying the Cumulative Hotfix package to see if this has any improvements. 
- Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix

If the problem continues to persist, you may need to open a support case for our team to take a closer look into this issue.