This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unusual Behaviour seen across multiple devices - anyone else seeing this


We have had a few users events kick in with the following order type 

Whilst we cannot find anything untoward on the device or the endusers' activitiy, we have seen the above steps replicated across about 3 other devices, different dates, and times. 

I find it strange that the events include FTP, Quick Assist, and WhoAmI applications, and seems to be as though it's been triggered by something. 

Anyone else seen similar ?

This thread was automatically locked due to age.
  • Thank you for reaching the community forum. 

    For endpoint level side, we can see that the application and the policy you've applied works as expected. Have you tried checking the event logs to confirm which users triggers this app to launch? If you suspect a script or a scheduled task is calling those application and triggers to run. You can use Autoruns.exe to help you identify.

    In Addition, we have our Rapid Response team as well if you want to have a detailed investigation for the said event. If you wish to speak with them, You can inform us or speak directly with your Account manager. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks Glenn, 

    Yes I am happy the policies seem to be working, but will give your advice a try. I was more keen to understand if anyone else had seen this type of behviour and possibly consider it suspicious type of activity. 

  • Are they picked up as part of a Scheduled scan do you think?  In the app control policy, do you have this checked:

    "Detect controlled applications during scheduled and on-demand scans"

    If you look at the client log SophosScanCoordinator.log under C:\ProgramData\Sophos\Endpoint Defense\Logs\, does that help? Does a scheduled scan even tie in with those times?  Are there detections for those apps in that log?

  • This was picked up as part of a random check 

  • If you have a Sophos XDR license, I suggest checking through some of the queries shown under "Threat Analysis Center > Live Discover" to see if any of the queries listed under "ATT&CK" give you further insights on the events that were generated. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Already checked and we can't see anything under ATT&CK, plus manual scans, and checks show nothing either - really strange 

Reply Children
No Data