"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This guide shows you how to run the Source of Infection tool on at boot-up time before you have performed a log on to Windows, useful for cases where a detection returns following clean-up. This assumes you have already read article 111505 regarding the use of the tool.
Known to apply to the following Sophos product(s) and version(s) Source of Infection
Operating systems Windows Vista, Windows 7 Windows Server 2008 Windows Server 2008 R2 Windows Server 2011
Note: The example bellow will log all files written to the hard drive and will therefore result in log files that rapidly increasing in file size. If the location or file name is the same for each detection, then an additional trigger should be added to the command line arguments as discussed in 111505.
%temp%\Source of Infection Log.csv
%temp%\Source of Infection Trace.txt
Two logs will be generated in the default location (%temp%)
Once this information has been gathered, logging can be disabled by deleting the scheduled task and rebooting the machine.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.