Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 14 subscribers
  • Views 15711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A device that was not being used, started reporting strange logs in the sophos endpoint

Pavel Čechmánek

A strange thing happened to us on Endpoint, which was in a locked office, in one second the endpoint blocked at least 10 pages of inappropriate tip as Adult/Sexually Explicit.

Since I am sure that no one was sitting at the endpoint and no one could browse the Internet, but it is still possible to see the blocking of several websites in the event log.

Another strange thing is that everything happened in one second. More than 10 pages were blocked in one second, even though no user was connected to the endpoint



This thread was automatically locked due to age.
Parents
  • 0

    I would probably take a look at the files under:

    C:\ProgramData\Sophos\Health\Event Store\Trail\

    To see the times of the various events, using others for context.

    If you have LiveResponse, you can use a PS prompt to examine the logs/files remotely, maybe a command such as:

    Get-ChildItem -Filter *.json -Path "C:\ProgramData\Sophos\Health\Event Store\Trail" | %{
  $j = gc $_.FullName | ConvertFrom-Json
  if($j.counterName -eq "web_security")
  {
    $j
  }
}


    Would be interesting. All the data is at the endpoint to determine what happened.

Reply
  • 0

    I would probably take a look at the files under:

    C:\ProgramData\Sophos\Health\Event Store\Trail\

    To see the times of the various events, using others for context.

    If you have LiveResponse, you can use a PS prompt to examine the logs/files remotely, maybe a command such as:

    Get-ChildItem -Filter *.json -Path "C:\ProgramData\Sophos\Health\Event Store\Trail" | %{
  $j = gc $_.FullName | ConvertFrom-Json
  if($j.counterName -eq "web_security")
  {
    $j
  }
}


    Would be interesting. All the data is at the endpoint to determine what happened.

Children
No Data
Unfiltered HTML