This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central Endpoint: Malware cleaned up - where is the backup?

On a server, a suspected webshell has been found and deleted by Sophos Endpoint.

MDR Team checked the case and confirmed: Hash verification via OSINT indicates 'C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp' is malicious.

Now it seems, as Sophos Endpoint deleted the files and that's it - no backup, no quarantine? Really?
We need to check this case with the vendor of the software that is running on the server and what is running with the serviceusername account. Without a file sample, we just can save our time to investigate with the vendor.

C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log shows:

2023-08-06T15:02:38.393Z [ 2924:10700] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:07:41.447Z [ 2924:10808] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:12:46.096Z [ 2924:10808] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:17:49.665Z [ 2924:11096] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:18:33.296Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.293Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.362Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-BJ' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.364Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-BJ' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.401Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:33.404Z [ 2924: 5676] A File C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp belongs to virus/spyware 'Troj/WebShel-DM' (Technical support reference: xxxxxxxxxxxxxxxxxxx)
2023-08-06T15:18:47.832Z [ 2924: 4060] A Clean completion: ID='4BF54E75-4CD5-42B9-A04E-3C7651155ADE' (Action='01DEE590-C617-4BE3-8A8B-E169EE25BB0D'); Result='SUCCESS'
2023-08-06T15:18:47.837Z [ 2924: 4060] A Clean completion: ID='85005EC3-2BF0-425B-8232-66A6AC1EE436' (Action='F480FF37-EE1A-4D82-AD39-7583213A645E'); Result='SUCCESS'
2023-08-06T15:18:47.842Z [ 2924: 4060] A Clean completion: ID='F004242B-1E72-4AC6-A23A-F96E89499B95' (Action='1FAD33BA-B06E-404C-B4D6-04CCF4DFEB27'); Result='SUCCESS'
2023-08-06T15:22:52.530Z [ 2924: 7344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:27:56.064Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:33:00.562Z [ 2924: 7344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:35:58.678Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T15:36:05.474Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453a774822c.tgz successfully uploaded
2023-08-06T15:38:04.228Z [ 2924:10952] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:43:07.647Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:48:11.110Z [ 2924:12820] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:53:13.949Z [ 2924:11392] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T15:53:37.415Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T15:53:52.797Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453ab838480.tgz successfully uploaded
2023-08-06T15:58:17.482Z [ 2924:11392] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:03:21.099Z [ 2924:10952] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:08:24.789Z [ 2924: 8680] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:11:32.529Z [ 2924: 1296] A RCA found a root cause for beacon suspectedmalwarefile.jsp.
2023-08-06T16:12:06.091Z [ 2924: 3776] A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453addaee80.tgz successfully uploaded
2023-08-06T16:13:28.271Z [ 2924: 8516] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:18:31.612Z [ 2924: 8516] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-06T16:23:34.440Z [ 2924:10356] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.

The log shows, that something has been uploaded to somewhere. What is that file, and does it contain a backup of what has been deleted?

A RCA 8d962af5-d7e1-44d3-0bd8-693492a93a3a_1778d453a774822c.tgz successfully uploaded

Edit: I found the RCA files in Sophos\Endpoint Defense\Data\Saved Data and they only contain what can be found in Central "Threat Analysis Center", not a file copy of the deleted file



This thread was automatically locked due to age.
Parents
  • Hi LHerzog,

    Thanks for reaching out.

    A copy of the cleaned-up file will be stored within the Sophos SafeStore. The only way to restore the file yourself would be to create an exclusion for the detected file.

    If you don’t wish to create an exclusion for the file locally, I suggest raising a support case with our team so we can assist you further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks , unfortunately making an exclusion for one of the deleted files did not restore something to where it had been deleted.

  • The path in the logs you provided shows:
    C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\suspectedmalwarefile.jsp

    Does the file path (C:\Users\serviceusername\AppData\Local\Temp\SERVICE_XXX\) still exist leading to "suspectedmalwarefile.jsp"? 

    If not, you may want to try re-creating this file path to see if a restore operation succeeds once the path is created. Did the logs also state "Restored Successfully" or has no event like this been generated in Sophos Central?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • the original path exists and I have not seen a log in central stating it has restored something.

    I would'nt expect a restore to happen when I whitelist an application path.

    I have opened a case for this and PM you the case no.

    Sorry, what is that generic answer from support?

    "We would like to have more information on this case. Kindly help us with the below information.

    • License Number: 
    • Since when, you are experiencing this issue?
    • The type of file (part of a program, installer, executable program itself)?
    • Origin of the file (proprietary or publicly available)?"

    It's a bit annoying.

  • Thank you for clarifying. I suspect the file did not get restored due to the type of detection that was raised. In instances where Sophos believes to have caught a 'True Detection', excluding the file or path will not restore it. 

    I've followed up with our management teams to raise your concerns regarding your interactions with Sophos Support. I've also added some notes to the case to help progress the issue. My apologies for the frustration.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • The outcome is: Safestore is empty and the files does not exist to restore.

    So Sophos Endpoint is designed to delete what it likes and you have no way to get the files back for forensic, troubleshooting or even restore your computer(s).

    That's nice. For attackers. But not for the Sophos customer.

    I have never seen an Anti Virus product that has no quarantine. Nor have I seen one that does not allow the admin to decide if he wants to quarantine at a detection or not. Finally I have found it with Sophos Intercept X.

    Screenshot taken from your Twitter/X account:

  • I was always a bit confused about the restore possibilities. Is this the official / final answer from sophos support? How can the MDR-Team do forensics if they dont even have the malicious file? I can compare Hashes by myself...

Reply Children
No Data