Hi to all,
I'm confused about a cryptoguard detection, it seems they found ransomware on a component of sophos itself.
- id: {"type":3,"data":"10HWczOjodtRTCUtmJysJQ=="}
- family_id: a1e45bc2-168e-553c-f81a-5e712666d413
- process_alias_path: $programfiles\Sophos\Endpoint Defense\SEDService.exe
- process_name: Sophos Endpoint Defense Software
- process_version: 3.0.1
- thumbprint: 97b6d7febee032c1bab27637eaa9b4d7a06b980eb27b07b95eee48af9a66efa2
- details: Mitigation CryptoGuard V5 Timestamp 2023-11-15T14:52:47 Platform 10.0.19045/x64 v504 06_8e- PID 2704 Enabled 007D2A3000000004 Application C:\Program Files\Sophos\Endpoint Defense\SEDService.exe Created 2023-03-07T10:14:46 Modified 2021-12-13T17:09:20 Description Sophos Endpoint Defense Software 3.0.1 Filename C:\Program Files\Sophos\Endpoint Defense\SEDService.exe Detection Generic.Ransom.C 1*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-00000000168da6fa-00000000168fc609-133445296629732803-133445332395788455.tmp Created L0, Write T31232 H31128|^226 #1,2 2*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-00000000168da6fa-00000000168fc609-133445296629732803-133445332395788455.bin Opened L585888, Read T586240|100% H32768|^1369094 #2,1 3 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-00000000168d84c9-00000000168fc6bb-133445293646197917-133445332449396746.bin Opened, Deleted L116048 #3,5 4*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-00000000168d84c9-00000000168fc6bb-133445293646197917-133445332449396746.tmp Created L0, Write T11776 H11728|^277 #4,5 5*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-00000000168d84c9-00000000168fc6bb-133445293646197917-133445332449396746.bin Opened L116048, Read T116224|100% H32768|^3092110 #5,4 6 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-00000000168da863-00000000168fc5ad-133445296711685246-133445332375905186.bin Opened, Deleted L29888 #6,8 7 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-00000000168da863-00000000168fc5ad-133445296711685246-133445332375905186.tmp Created L0, Write T3584 H3336|^292 #7,8 8 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-00000000168da863-00000000168fc5ad-133445296711685246-133445332375905186.bin Opened L29888, Read T30208|100% H29888|^2129399 #8,7 9 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image\Image-00000000168da6ce-00000000168fc7b3-133445296629697931-133445332556159659.bin Opened, Deleted L4434968 #9,11 10*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image\Image-00000000168da6ce-00000000168fc7b3-133445296629697931-133445332556159659.tmp Created L0, Write T138240 H32768|^281 #10,11 11*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image\Image-00000000168da6ce-00000000168fc7b3-133445296629697931-133445332556159659.bin Opened L4434968, Read T4435456|100% H32768|^2485908 #11,10 12 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads\FileBinaryReads-00000000168da6cd-00000000168fc7b2-133445296629697931-133445332556093830.bin Opened, Deleted L4740488 #12,14 13*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads\FileBinaryReads-00000000168da6cd-00000000168fc7b2-133445296629697931-133445332556093830.tmp Created L0, Write T156160 H32768|^271 #13,14 14*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads\FileBinaryReads-00000000168da6cd-00000000168fc7b2-133445296629697931-133445332556093830.bin Opened L4740488, Read T4740608|100% H32768|^2059233 #14,13 15 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-00000000168da6c1-00000000168fc780-133445296629400909-133445332526057420.bin Opened, Deleted L3995504 #15,17 16*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-00000000168da6c1-00000000168fc780-133445296629400909-133445332526057420.tmp Created L0, Write T139264 H32768|^257 #16,17 17*C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-00000000168da6c1-00000000168fc780-133445296629400909-133445332526057420.bin Opened L3995504, Read T3995648|100% H32768|^1837934 #17,16 Process Trace 1 C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 2 C:\Windows\System32\services.exe [912] 3 C:\Windows\System32\wininit.exe [836] wininit.exe Dropped Files 1 C:\ProgramData\Sophos\Endpoint Defense\Data\connections.txt Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 2 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-00000000168da6c1-00000000168fc780-133445296629400909-133445332526057420.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 3 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads\FileBinaryReads-00000000168da6cd-00000000168fc7b2-133445296629697931-133445332556093830.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 4 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image\Image-00000000168da6ce-00000000168fc7b3-133445296629697931-133445332556159659.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 5 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-00000000168da863-00000000168fc5ad-133445296711685246-133445332375905186.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 6 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-00000000168d84c9-00000000168fc6bb-133445293646197917-133445332449396746.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] 7 C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-00000000168da6fa-00000000168fc609-133445296629732803-133445332395788455.tmp Dropped by C:\Program Files\Sophos\Endpoint Defense\SEDService.exe [2704] Thumbprint 97b6d7febee032c1bab27637eaa9b4d7a06b980eb27b07b95eee48af9a66efa2 Digital signature certificate based thumbprint 169afb750b1dd68d694684c9509b68ee86b629da6f99bfa4f6a123e18dfa5218
- process_path: C:\Program Files\Sophos\Endpoint Defense\SEDService.exe
- type: CryptoGuard
- process_pid: 2704
- version: 3.8.1.504
This thread was automatically locked due to age.