Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 13 subscribers
  • Views 26090 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard detected as ransomware

gdriggs

We have this on several systems so I'm surprised this is the first time it has come up:
"CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe"

Please let me know if anyone wants SDU output from the system this fired on. I've currently listed it as a global scanning exception along with C:\ProgramData\Utimaco\SafeGuard Enterprise\LocalCache. Should I put one in for c:\program files (x86)\sophos\safeguard enterprise\client\ as well?

-Gary



This thread was automatically locked due to age.

  • The exception is not working -- it keeps getting overridden:

    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:23:16-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:20:30-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:20:14-07:00
    Policy non-compliance: Device Control 2016-09-14T17:19:38-07:00
    Policy non-compliance: Tamper Protection 2016-09-14T17:19:38-07:00
    Policy non-compliance: Application Control 2016-09-14T17:19:38-07:00
    Policy non-compliance: Malware Protection 2016-09-14T17:19:38-07:00
    Real time protection disabled 2016-09-14T17:19:38-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:18:02-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:16:44-07:00
    Policy in compliance: Device Control 2016-09-14T17:16:39-07:00
    Policy in compliance: Tamper Protection 2016-09-14T17:16:39-07:00
    Policy in compliance: Application Control 2016-09-14T17:16:39-07:00
    Policy in compliance: Malware Protection 2016-09-14T17:16:39-07:00
    Real time protection re-enabled 2016-09-14T17:16:39-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:11:33-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:11:24-07:00
    Policy non-compliance: Device Control 2016-09-14T17:10:47-07:00
    Policy non-compliance: Tamper Protection 2016-09-14T17:10:47-07:00
    Policy non-compliance: Application Control 2016-09-14T17:10:47-07:00
    Policy non-compliance: Malware Protection 2016-09-14T17:10:47-07:00
    Real time protection disabled 2016-09-14T17:10:47-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:08:41-07:00
    Policy in compliance: Device Control 2016-09-14T17:08:22-07:00
    Policy in compliance: Tamper Protection 2016-09-14T17:08:22-07:00
    Policy in compliance: Application Control 2016-09-14T17:08:22-07:00
    Policy in compliance: Malware Protection 2016-09-14T17:08:22-07:00
    Real time protection re-enabled 2016-09-14T17:08:22-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:08:17-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:07:06-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:06:50-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:05:34-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T17:05:17-07:00
    Policy non-compliance: Device Control 2016-09-14T17:04:43-07:00
    Policy non-compliance: Tamper Protection 2016-09-14T17:04:43-07:00
    Policy non-compliance: Application Control 2016-09-14T17:04:43-07:00
    Policy non-compliance: Malware Protection 2016-09-14T17:04:43-07:00
    Real time protection disabled 2016-09-14T17:04:43-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:36:11-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:35:24-07:00
    Policy in compliance: Device Control 2016-09-14T15:35:15-07:00
    Policy in compliance: Tamper Protection 2016-09-14T15:35:15-07:00
    Policy in compliance: Application Control 2016-09-14T15:35:15-07:00
    Policy in compliance: Malware Protection 2016-09-14T15:35:15-07:00
    Real time protection re-enabled 2016-09-14T15:35:15-07:00
    Policy non-compliance: Device Control 2016-09-14T15:34:33-07:00
    Policy non-compliance: Tamper Protection 2016-09-14T15:34:33-07:00
    Policy non-compliance: Application Control 2016-09-14T15:34:33-07:00
    Policy non-compliance: Malware Protection 2016-09-14T15:34:33-07:00
    Real time protection disabled 2016-09-14T15:34:33-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:33:54-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:32:31-07:00
    Policy in compliance: Device Control 2016-09-14T15:32:00-07:00
    Policy in compliance: Tamper Protection 2016-09-14T15:32:00-07:00
    Policy in compliance: Application Control 2016-09-14T15:32:00-07:00
    Policy in compliance: Malware Protection 2016-09-14T15:32:00-07:00
    Real time protection re-enabled 2016-09-14T15:32:00-07:00
    Policy non-compliance: Device Control 2016-09-14T15:31:38-07:00
    Policy non-compliance: Tamper Protection 2016-09-14T15:31:38-07:00
    Policy non-compliance: Application Control 2016-09-14T15:31:38-07:00
    Policy non-compliance: Malware Protection 2016-09-14T15:31:38-07:00
    Real time protection disabled 2016-09-14T15:31:38-07:00
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:28:24-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe 2016-09-14T15:27:53-07:00
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy non-compliance: Device Control
    Policy non-compliance: Tamper Protection
    Policy non-compliance: Application Control
    Policy non-compliance: Malware Protection
    Real time protection disabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy in compliance: Device Control
    Policy in compliance: Tamper Protection
    Policy in compliance: Application Control
    Policy in compliance: Malware Protection
    Real time protection re-enabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy non-compliance: Device Control
    Policy non-compliance: Tamper Protection
    Policy non-compliance: Application Control
    Policy non-compliance: Malware Protection
    Real time protection disabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy in compliance: Device Control
    Policy in compliance: Tamper Protection
    Policy in compliance: Application Control
    Policy in compliance: Malware Protection
    Real time protection re-enabled
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy non-compliance: Device Control
    Policy non-compliance: Tamper Protection
    Policy non-compliance: Application Control
    Policy non-compliance: Malware Protection
    Real time protection disabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy in compliance: Device Control
    Policy in compliance: Tamper Protection
    Policy in compliance: Application Control
    Policy in compliance: Malware Protection
    Real time protection re-enabled
    Policy non-compliance: Device Control
    Policy non-compliance: Tamper Protection
    Policy non-compliance: Application Control
    Policy non-compliance: Malware Protection
    Real time protection disabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe
    Policy in compliance: Device Control
    Policy in compliance: Tamper Protection
    Policy in compliance: Application Control
    Policy in compliance: Malware Protection
    Real time protection re-enabled
    Policy non-compliance: Device Control
    Policy non-compliance: Tamper Protection
    Policy non-compliance: Application Control
    Policy non-compliance: Malware Protection
    Real time protection disabled
    CryptoGuard unblocked process C:\Windows\SysWOW64\SGN_MasterServicen.exe
    CryptoGuard detected ransomware in C:\Windows\SysWOW64\SGN_MasterServicen.exe

  • Hello,

    We're aware of this false positive and it will be fixed for the release version.  But I would like to confirm that this is the same issue as the one we are aware of.  

    We will need the following sent to us:-

    • File output from  Sophos Diagnostic Utility  ( you find this from the program files menu )
    • Zip'd collection  of log files from C:\ProgramData\Sophos\Clean\Logs and C:\ProgramData\HitmanPro.Alert\Logs

    You can use https://www.wetransfer.com/  for free to send us the file.   Suggest you zip them all together and use a password.  Please send the details to me via the forum messaging. 

    Thanks for the report

  • in reply to Rincewind

    Unfortunately, I can't get the system to stay on long enough. I get a repeat of the same events posted previously then after it's detected again it shuts down. Is that expected behavior? Either way, how can I get this to stop happening so I can run SDU? If necessary I can see if we have an adapter for the M.2 SSD in it so I can collect the logs by attaching it to another system.

    Update -- I was able to shutdown the HitmanPro & Clean services and that seems to have stopped the constant reboot cycle. I'll send you some data as soon as I have it gathered.

    thanks,
    Gary

Unfiltered HTML