Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 13 subscribers
  • Views 14854 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept flagging the F5 Netscaler Cachecleaner as Cryptoguard?

Emile Belcourt

Hi All,

Have a customer running Intercept trial and it looks like they're connecting to a reverse proxy VPN on an F5 that deploys a program called cachecleaner.exe onto the client computer for cleaning up the connection data once the session has been closed.

It looks like a false positive because it reads and writes a lot of files and in the artifacts tab, all reports across 6 systems all have this cacheclearner.exe at the center of it. Now they have been hit by ransomware in the past so our first concern is they have a worm that is deploying this application to all of the computers but that doesn't look like the case. 95% of the files touched appear to be cache related on internet explorer.

I have a copy of the program that appears in all of the Root Cause Analysis scopes of which there are some screen shots below:

Above is what is in 70% of the RCAs

Below is a more complicated RCA from someones PC which looks like to have a lot of fluff but primarily has the fragment above in it regardless:

Happy to provide console information if the team would like to access the RCAs themselves and I also have the cachecleaner.exe program in a zip to provide.

In one of the RCAs it looks like it was the users first time connection so it was deploying some tunnelling and user configuration settings.

This is what is leading me to a false positive and the cachecleaners behaviour is simply showing it as malicious.

Happy to provide more information on request :)

Emile

P.s. Oooh the RCA is cool



This thread was automatically locked due to age.
Parents

  • Hello,

    It looks like the cachecleaner.exe is doing a secure delete on files. This means it is overwriting files and images with random data. Random data looks like encryption (same entropy) and it therefore triggers CryptoGuard.

    To confirm, can you send us a copy of the mentioned cachecleaner.exe via www.wetransfer.com and send it to erik@surfright.com?

    Regards,
    Erik Loman
    HitmanPro
    SurfRight - a Sophos company

Reply

  • Hello,

    It looks like the cachecleaner.exe is doing a secure delete on files. This means it is overwriting files and images with random data. Random data looks like encryption (same entropy) and it therefore triggers CryptoGuard.

    To confirm, can you send us a copy of the mentioned cachecleaner.exe via www.wetransfer.com and send it to erik@surfright.com?

    Regards,
    Erik Loman
    HitmanPro
    SurfRight - a Sophos company

Children
  • in reply to ErikLoman

    Hi Guys,

    Thanks for confirming my suspicions and thank you Erik for the very informative response!

    Erik, I have sent you the files via wetransfer and the password for the file is "Sophos1985" (without quotes) and inside you should find everything that was on the target machines related to Cachecleaner.exe. However there were other potentially related files to do with the F5 but they only flagged as a root, never as a beacon event so I did not grab those but can if needed. It looked like the F5 application was used to download and deploy the extra software in all instances.

    Rincewind, would you still like what you requested sent through? I have plotted some time to try and get access to the customers machine today to grab these. If so I will try and get luggage to come and pick them up for you :)

    Many thanks!

    Emile

Unfiltered HTML