Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 15 subscribers
  • Views 2012 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unusual Behaviour seen across multiple devices - anyone else seeing this

SimonGoode

Hi 

We have had a few users events kick in with the following order type 

Whilst we cannot find anything untoward on the device or the endusers' activitiy, we have seen the above steps replicated across about 3 other devices, different dates, and times. 

I find it strange that the events include FTP, Quick Assist, and WhoAmI applications, and seems to be as though it's been triggered by something. 

Anyone else seen similar ?



This thread was automatically locked due to age.
Parents
  • 0

    Thank you for reaching the community forum. 

    For endpoint level side, we can see that the application and the policy you've applied works as expected. Have you tried checking the event logs to confirm which users triggers this app to launch? If you suspect a script or a scheduled task is calling those application and triggers to run. You can use Autoruns.exe to help you identify.

    In Addition, we have our Rapid Response team as well if you want to have a detailed investigation for the said event. If you wish to speak with them, You can inform us or speak directly with your Account manager. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to GlennSen

    Thanks Glenn, 

    Yes I am happy the policies seem to be working, but will give your advice a try. I was more keen to understand if anyone else had seen this type of behviour and possibly consider it suspicious type of activity. 

  • 0 in reply to SimonGoode

    Are they picked up as part of a Scheduled scan do you think?  In the app control policy, do you have this checked:

    "Detect controlled applications during scheduled and on-demand scans"

    If you look at the client log SophosScanCoordinator.log under C:\ProgramData\Sophos\Endpoint Defense\Logs\, does that help? Does a scheduled scan even tie in with those times?  Are there detections for those apps in that log?

Reply
  • 0 in reply to SimonGoode

    Are they picked up as part of a Scheduled scan do you think?  In the app control policy, do you have this checked:

    "Detect controlled applications during scheduled and on-demand scans"

    If you look at the client log SophosScanCoordinator.log under C:\ProgramData\Sophos\Endpoint Defense\Logs\, does that help? Does a scheduled scan even tie in with those times?  Are there detections for those apps in that log?

Children
Unfiltered HTML