Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

data exfiltration from server

hi,

i have installed CIXA for server on few servers. on 3rd of AUG 23 few of my server in LAN upon which cixa for servers were not installed, got hit by ransomware , file extension becom gasprom, i also have XG 310 at gateway level and turned on ATP -log and drop.

time was short so what i do i formated the infected server installed OS and restore data from backup and then installed CIXA for server on it. now is it safe from further compromise???or if any other system within the lan is infected then still there is a chance that this server will again get infected? what i done is right or wrong?

on server upon which cixa were installed i saw in events that crypto.exe detected and blocked. how can i find from which ip / user it is generated??? either is it from LAN or WAN??? how can i find the initiator??? more than 90 days has been gone so on sophos cenrtal i am not able to see logs for those dates ie. 3rd AUG 23.

in threat graph it shows that anydesk.exe read 35 files. does this means that 35 files have been uploaded to somewhere. when i click on those 35 files then all of these files are .dll  

in graph it is showing that crypto.exe is detected. what is done after detection how can i find it?

 screenshot is attached with this thread.

  please advise.



This thread was automatically locked due to age.