This article provides information about CryptoGuard detections, what they mean and how to deal with them.
The following sections are covered:
Applies from the following Sophos product(s) and version(s) Central Windows Endpoint 11.5.0Sophos Cloud Managed Endpoint 9.6.0 (Mac)Sophos Cloud Managed Server 1.4.0
Operating systems Windows, OS X
CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the execution of the detected process.
This functionality requires the following product versions:
For further information on ransomware read Ransomware: Information and prevention.
For further information on these detections, the recommended steps and an example on dealing with such a detection, click on Sophos Central: Root Cause Analysis overview
CryptoGuard detected ransomware in C:\Example\file.exe
Required actions:
Remote detections are triggered when the ransomware is remote to the server, but attacks files contained on the server, such as a share. The remote computers triggering the attack may be:
You will see:
CryptoGuard detected a ransomware attack from 192.168.0.1
CryptoGuard detected a ransomware attack from this device against SERVERNAME
Note: In this state the server blocks any Write access requests from the remote computer.
Once resolved the server unblocks the remote computer allowing Write access. You will see:
CryptoGuard unblocked access to network shares from 192.168.0.1
Task Category: Mitigation - Unblock 192.168.0.1
Note: The computer will automatically be unblocked after a period of 8 hours if no action is taken. If the remote attack re-occurs it will be blocked again.
Issues to be aware of:
C:\Program Files\Sophos\Clean
Note: If Sophos Clean is not supported on your Windows OS, see Ransomware: Information and prevention for information on troubleshooting issues.
Adding Exclusions
When adding an exclusion for a CryptoGuard detection on a Windows server, the process being excluded will be locked until the Alert is acknowledged. To do this:
Any detections can be seen in the Quarantine Manager, and on the Sophos Central dashboard. When a detection occurs, files that have recently been encrypted by the application in question will be restored, and the process blocked from modifying further files. Manual cleanup may be required.
If the system is licensed for CryptoGuard, Sophos Central can turn it on and off for systems. On the local computer, an icon will show in the Sophos Preferences window, allowing this service to be enabled/disabled (protected by Tamper Protection), once it has been enabled by Sophos Central for the first time.
This runs as a separate process called SophosCryptoGuard, and uses a kernel extension (kext) named SophosFileMonitor. These will not be loaded until CryptoGuard has been enabled in Sophos Central.
This will generate a Root Cause Analysis that is uploaded to Sophos Central. You can find out more in the KB Sophos Central: Root Cause Analysis overview
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.