This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

Sophos Endpoint is detecting a CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2302.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe 

I am unsure of the reason behind this detection and would appreciate your help in resolving this issue.



This thread was automatically locked due to age.
Parents
  • Hi  ,

    Thank you for reaching out to the Sophos Community Forum. Would you be able to confirm what occurred on the device at the time of this detection? Was the application being used to download or share files?

    After finding out what occurred on the device, and if you trust the application, you may apply the exclusions provided in the following article: https://support.sophos.com/support/s/article/KB-000039184?language=en_US

    Let me know if this helps.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I think Sophos has to go "back to the drawing board" for this one in combination with whatsapp. We are running into the same issue, it seems that it triggeres onthe ".enc" files created by whatsapp which are indeed encrypted files

    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\a3h2z7d7\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\kvz4lscj\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[1].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[2].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[3].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[4].enc
    c:\users\???\appdata\local\packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\ac\inetcache\toouzvtr\file[5].enc

    however it feels like a bit far fetched to let all customers create exclusions , and this is impossible also since then it will be whitelisted on 

    Application

    PathC:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2310.3.0_x64__cv1g1gvanyjgm\WhatsApp.exe

    and if a new version comes out the whitelisting wont be working anymore

     

  • Hi Martijn,

    I suggest trying the Cumulative Hotfix package to see if this has any improvements. 
    - Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix

    If the problem continues to persist, you may need to open a support case for our team to take a closer look into this issue.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
No Data