This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

Sophos Endpoint is detecting a CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe 

I am unsure of the reason behind this detection and would appreciate your help in resolving this issue.



This thread was automatically locked due to age.
Parents Reply Children
  • I think Sophos has to go "back to the drawing board" for this one in combination with whatsapp. We are running into the same issue, it seems that it triggeres onthe ".enc" files created by whatsapp which are indeed encrypted files

    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[5].enc

    however it feels like a bit far fetched to let all customers create exclusions , and this is impossible also since then it will be whitelisted on 

    Application

    PathC:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2310.3.0_x64__cv1g1gvanyjgm\WhatsApp.exe

    and if a new version comes out the whitelisting wont be working anymore

     

  • Hi Martijn,

    I suggest trying the Cumulative Hotfix package to see if this has any improvements. 
    - Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix

    If the problem continues to persist, you may need to open a support case for our team to take a closer look into this issue.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids