Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 14 subscribers
  • Views 4248 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central Endpoint: Malware cleaned up - where is the backup?

LHerzog

On a server, a suspected webshell has been found and deleted by Sophos Endpoint.

MDR Team checked the case and confirmed: Hash verification via OSINT indicates 'C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp' is malicious.

Now it seems, as Sophos Endpoint deleted the files and that's it - no backup, no quarantine? Really?
We need to check this case with the vendor of the software that is running on the server and what is running with the serviceusername account. Without a file sample, we just can save our time to investigate with the vendor.

C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log shows:

2023-08-06T15:02:38.393Z [ 2924:10700] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:07:41.447Z [ 2924:10808] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:12:46.096Z [ 2924:10808] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:17:49.665Z [ 2924:11096] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:18:33.296Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.293Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.362Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-BJ' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.364Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-BJ' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.401Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.404Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:47.832Z [ 2924: 4060] A Clean completion: ID='4BF54E75-4CD5-42B9-A04E-3C7651155ADE' (Action='01DEE590-C617-4BE3-8A8B-E169EE25BB0D'); Result='SUCCESS'
2023-08-06T15:18:47.837Z [ 2924: 4060] A Clean completion: ID='85005EC3-2BF0-425B-8232-66A6AC1EE436' (Action='F480FF37-EE1A-4D82-AD39-7583213A645E'); Result='SUCCESS'
2023-08-06T15:18:47.842Z [ 2924: 4060] A Clean completion: ID='F004242B-1E72-4AC6-A23A-F96E89499B95' (Action='1FAD33BA-B06E-404C-B4D6-04CCF4DFEB27'); Result='SUCCESS'
2023-08-06T15:22:52.530Z [ 2924: 7344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:27:56.064Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:33:00.562Z [ 2924: 7344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:35:58.678Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T15:36:05.474Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453a774822c.tgz successfully uploaded
2023-08-06T15:38:04.228Z [ 2924:10952] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:43:07.647Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:48:11.110Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:53:13.949Z [ 2924:11392] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:53:37.415Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T15:53:52.797Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453ab838480.tgz successfully uploaded
2023-08-06T15:58:17.482Z [ 2924:11392] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:03:21.099Z [ 2924:10952] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:08:24.789Z [ 2924: 8680] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:11:32.529Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T16:12:06.091Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453addaee80.tgz successfully uploaded
2023-08-06T16:13:28.271Z [ 2924: 8516] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:18:31.612Z [ 2924: 8516] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:23:34.440Z [ 2924:10356] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.

The log shows, that something has been uploaded to somewhere. What is that file, and does it contain a backup of what has been deleted?

A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453a774822c.tgz successfully uploaded

Edit: I found the RCA files in Sophos\Endpoint Defense\Data\Saved Data and they only contain what can be found in Central "Threat Analysis Center", not a file copy of the deleted file



This thread was automatically locked due to age.
  • 0

    Hi LHerzog,

    Thanks for reaching out.

    A copy of the cleaned-up file will be stored within the Sophos SafeStore. The only way to restore the file yourself would be to create an exclusion for the detected file.

    If you don’t wish to create an exclusion for the file locally, I suggest raising a support case with our team so we can assist you further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Thanks , unfortunately making an exclusion for one of the deleted files did not restore something to where it had been deleted.

  • 0 in reply to LHerzog

    The path in the logs you provided shows:
    C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp

    Does the file path (C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\) still exist leading to "suspectedmalwarefile.jsp"? 

    If not, you may want to try re-creating this file path to see if a restore operation succeeds once the path is created. Did the logs also state "Restored Successfully" or has no event like this been generated in Sophos Central?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    the original path exists and I have not seen a log in central stating it has restored something.

    I would'nt expect a restore to happen when I whitelist an application path.

    I have opened a case for this and PM you the case no.

    Sorry, what is that generic answer from support?

    "We would like to have more information on this case. Kindly help us with the below information.

    • License Number: 
    • Since when, you are experiencing this issue?
    • The type of file (part of a program, installer, executable program itself)?
    • Origin of the file (proprietary or publicly available)?"

    It's a bit annoying.

  • 0 in reply to LHerzog

    Thank you for clarifying. I suspect the file did not get restored due to the type of detection that was raised. In instances where Sophos believes to have caught a 'True Detection', excluding the file or path will not restore it. 

    I've followed up with our management teams to raise your concerns regarding your interactions with Sophos Support. I've also added some notes to the case to help progress the issue. My apologies for the frustration.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • +1 in reply to Qoosh

    The outcome is: Safestore is empty and the files does not exist to restore.

    So Sophos Endpoint is designed to delete what it likes and you have no way to get the files back for forensic, troubleshooting or even restore your computer(s).

    That's nice. For attackers. But not for the Sophos customer.

    I have never seen an Anti Virus product that has no quarantine. Nor have I seen one that does not allow the admin to decide if he wants to quarantine at a detection or not. Finally I have found it with Sophos Intercept X.

    Screenshot taken from your Twitter/X account:

  • 0 in reply to LHerzog

    I was always a bit confused about the restore possibilities. Is this the official / final answer from sophos support? How can the MDR-Team do forensics if they dont even have the malicious file? I can compare Hashes by myself...

  • 0 in reply to LHerzog

    I understand your frustrations. It may be worthwhile inquiring further with support why the Sophos SafeStore did not retain a copy of the files that were cleaned up, as this is certainly not the norm. 

    Do you know if any of the following conditions were met, which may have resulted in the file not being retained?

    • The single file limit is 100 GB.
    • The overall quarantine size limit is 200 GB.
    • The maximum number of files stored is 2000.

    You are correct that the "Remediation" option will not affect the behaviour on Windows devices regarding cleanup, however, this is why the SafeStore is present.
    Remediation: Windows computers always clean up detected items, regardless of this setting. You can only turn off automatic cleanup on Macs.

    If you have any suggestions on how you'd like to see the current behaviour improved, do let me know and I'd be happy to assist in submitting a feature request.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Unfiltered HTML