This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

legit wzwipe.exe identified as ransomware

Hi,

It looks like WinZip includes an executable called wzwipe.exe. We still have this installed on several PCs in our environment and occasionally Intercept is identifying this as ransomware. Ours shows up as a known good hash of when I look it up on a site like this one or VirusTotal so I'm wondering if there's a way for Sophos to match its hash before declaring it malicious...?

Also, since I know you mostly hear about it when things are broken, I want to send a thank you out to everyone at Sophos collectively; this is a great product!

kind regards,
Gary



This thread was automatically locked due to age.
Parents
  • Hey gdriggs!

    Our Central Endpoint product (specifically the Sophos Antivirus component) does make reputation lookups with SophosLabs for these things however Intercept X does not rely on reputation and is purely behavioural.

    Are you able to share a little more regarding the detection you saw, perhaps a screenshot with anything sensitive redacted? If you're able to also submit a sample of wzwipe.exe to https://secure2.sophos.com/en-us/support/contact-support.aspx and post a hash here (SHA256 preferably or SHA1), I can check with SophosLabs whether the file is clean or not.

    If the file is clean and this is a false positive, I would recommend raising a case with Sophos Technical Support via Sophserv. Alternative contact methods can be found here. They will be able to get this up to Engineering and have it addressed as quickly as possible.

Reply
  • Hey gdriggs!

    Our Central Endpoint product (specifically the Sophos Antivirus component) does make reputation lookups with SophosLabs for these things however Intercept X does not rely on reputation and is purely behavioural.

    Are you able to share a little more regarding the detection you saw, perhaps a screenshot with anything sensitive redacted? If you're able to also submit a sample of wzwipe.exe to https://secure2.sophos.com/en-us/support/contact-support.aspx and post a hash here (SHA256 preferably or SHA1), I can check with SophosLabs whether the file is clean or not.

    If the file is clean and this is a false positive, I would recommend raising a case with Sophos Technical Support via Sophserv. Alternative contact methods can be found here. They will be able to get this up to Engineering and have it addressed as quickly as possible.

Children
No Data