Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 13 subscribers
  • Views 2298 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A device that was not being used, started reporting strange logs in the sophos endpoint

Pavel Čechmánek

A strange thing happened to us on Endpoint, which was in a locked office, in one second the endpoint blocked at least 10 pages of inappropriate tip as Adult/Sexually Explicit.

Since I am sure that no one was sitting at the endpoint and no one could browse the Internet, but it is still possible to see the blocking of several websites in the event log.

Another strange thing is that everything happened in one second. More than 10 pages were blocked in one second, even though no user was connected to the endpoint



This thread was automatically locked due to age.
  • +1

    Hi Pavel,

    Thanks for reaching out. 

    May I ask if the events you saw populated were associated to a specific user in Sophos Central? 

    When you are viewing the device in question in Sophos Central, try clicking on the last user associated to the device. On the user page, does the same device show up associated to the events you're seeing in Sophos Central? 

    I have also reached out via private message to assist further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    I would probably take a look at the files under:

    C:\ProgramData\Sophos\Health\Event Store\Trail\

    To see the times of the various events, using others for context.

    If you have LiveResponse, you can use a PS prompt to examine the logs/files remotely, maybe a command such as:

    Get-ChildItem -Filter *.json -Path "C:\ProgramData\Sophos\Health\Event Store\Trail" | %{
  $j = gc $_.FullName | ConvertFrom-Json
  if($j.counterName -eq "web_security")
  {
    $j
  }
}


    Would be interesting. All the data is at the endpoint to determine what happened.

Unfiltered HTML