"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Live Protection is a technology that allows live look-ups (via SXL) to obtain the latest threat information from SophosLabs (cloud based look-ups), without waiting for the product to be updated. It also provides a platform to upload samples that SophosLabs deem interesting and worth investigating further. Both these features can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if live look-ups are enabled.
This article explains how to check if endpoints are submitting files to Sophos following a cloud detection (Web Protection look-up).
Applies to the following Sophos product(s) and version(s) Sophos Endpoint Security and Control
An entry is added to SAV log whenever a file is attempted to be uploaded to Sophos and the entry includes the name of the file and the result of the operation, for instance:
20100720 183814 File "C:\Documents and Settings\Administrator\Desktop\sxl_test_50.com" belongs to virus/spyware 'LiveProtectTest'. 20100720 183818 File sample was successfully sent for Sophos Live Protection: File: 'C:\Documents and Settings\Administrator\Desktop\sxl_test_50.com' Checksum: 'a2c0f84a30bec1279a6591ceae76f75d47c3fe81.5'
Advanced SAVI logging shows verbosely all SXL queries and responses, the output is likely to be low level and really only required in edge cases involving GES/Engineering.
Logs will be in c:\windows\temp\savi_<pid>_<id>.log and rotate after 20,000 lines
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.