Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 15 subscribers
  • Views 4445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

TareK

Sophos Endpoint is detecting a CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe 

I am unsure of the reason behind this detection and would appreciate your help in resolving this issue.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  ,

    Thank you for reaching out to the Sophos Community Forum. Would you be able to confirm what occurred on the device at the time of this detection? Was the application being used to download or share files?

    After finding out what occurred on the device, and if you trust the application, you may apply the exclusions provided in the following article: https://support.sophos.com/support/s/article/KB-000039184?language=en_US

    Let me know if this helps.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Gladys

    I think Sophos has to go "back to the drawing board" for this one in combination with whatsapp. We are running into the same issue, it seems that it triggeres onthe ".enc" files created by whatsapp which are indeed encrypted files

    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[5].enc

    however it feels like a bit far fetched to let all customers create exclusions , and this is impossible also since then it will be whitelisted on 

    Application

    PathC:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2310.3.0_x64__cv1g1gvanyjgm\WhatsApp.exe

    and if a new version comes out the whitelisting wont be working anymore

     

Reply
  • 0 in reply to Gladys

    I think Sophos has to go "back to the drawing board" for this one in combination with whatsapp. We are running into the same issue, it seems that it triggeres onthe ".enc" files created by whatsapp which are indeed encrypted files

    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[5].enc

    however it feels like a bit far fetched to let all customers create exclusions , and this is impossible also since then it will be whitelisted on 

    Application

    PathC:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2310.3.0_x64__cv1g1gvanyjgm\WhatsApp.exe

    and if a new version comes out the whitelisting wont be working anymore

     

Children
Unfiltered HTML