Sophos Central Endpoint and Server: CryptoGuard detections and required actions

  • Article ID: 124786
  • Updated: 1 Apr 2020
  • 7 people found this helpful

Overview

This knowledge base article provides information about CryptoGuard detection, what they mean and how to deal with them.

The following sections are covered:

Applies from the following Sophos product(s) and version(s)
Central Windows Endpoint 11.5.0
Sophos Cloud Managed Endpoint 9.6.0 (Mac)
Sophos Cloud Managed Server 1.4.0

Operating systems
Windows, OS X

Information about CryptoGuard

CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the execution of the detected process.

This functionality requires the following product versions:

  • Windows non-server platforms: 11.5.0+
  • Windows server platforms: 1.4.0+
  • Mac OS X platforms: 9.6.0+ 

For further information on ransomware read Ransomware: Information and prevention.

CryptoGuard detection on Windows non-server platforms

For further information on this detection, the recommended steps and an example on dealing with such a detection, click on Sophos Central Admin: Overview of Threat Cases

CryptoGuard detection on Windows server platforms

CryptoGuard on Windows server platforms detects and blocks both local and remote attacks. Both types of detection may require a number of actions:

Local detection

Local detection is triggered when the ransomware is local to the server. You will see:
  1. An alert for the Server in Sophos Central reporting the detection:

    CryptoGuard detected ransomware in C:\Example\file.exe

  2. Two Application Event log entries on the Server:

    • Task Category: Mitigation - detailing the Application and the targeted files.
    • Task Category: CryptoGuard - detailing the Application, list of files and the attack being intercepted and blocked.

Required actions:

  1. In Sophos Central, go to Alerts.
  2. Click on the box next to the CryptoGuard detection alert for the server.
  3. Click Mark as Resolved.

Remote detection

Remote detection is triggered when the ransomware is remote to the server, but attacks files contained on the server, such as a share. The remote computers triggering the attack may be:

  1. Windows computers managed in Sophos Central where Intercept X is installed.
  2. Windows computers managed in Sophos Central where Intercept X is not installed.
  3. Computers that are not managed in Sophos Central.

From Windows computers managed in Sophos Central with Intercept X installed

You will see:

  1. An alert for the Server in Sophos Central reporting the detection and which IP address it came from:

    CryptoGuard detected a ransomware attack from 192.168.0.1

  2. An alert for the Computer in Sophos Central where the attack originated:

    CryptoGuard detected a ransomware attack from this device against SERVERNAME

  3. Two Application Events logs are created on the Server:

    • Task Category: Mitigation - detailing the IP address of the remote computer and the targeted files.
    • Task Category: CryptoGuard - detailing the IP address of the remote computer, the list of files and the attack being intercepted and blocked.

Note: In this state the server blocks any Write access requests from the remote computer.

Required actions:

  1. As the computer is managed and has Intercept X installed a cleanup action will be triggered automatically.
  2. In Sophos Central select both alerts and click Mark As Resolved.

Once resolved the server unblocks the remote computer allowing Write access. You will see:

  1. An event for the Server in Sophos Central reporting the IP address has been unblocked:

    CryptoGuard unblocked access to network shares from 192.168.0.1

  2. The following Application Event log is created on the Server:

    Task Category: Mitigation - Unblock 192.168.0.1

Note: The computer will automatically be unblocked after a period of 8 hours if no action is taken by the Sophos Central Administrator so as to prevent a potentially valid application from being blocked indefinitely. If the remote attack re-occurs, it will be blocked again.

Issues to be aware of:

  • If the IP address of the remote computer changes following the attack (e.g. due to DHCP/NAT networking), the alert may not be raised against that remote computer in Sophos Central. If you do not know which computer triggered the detection you can resolve the server alert to unblock the IP address. If the remote attack occurs again, it will be blocked and report the new IP address.

  • A powered off computer that previously used the IP address that has since been re-assigned to a different computer, can also be alerted in Sophos Central as the originator of the attack. In such cases the alert can be resolved.

From Windows computers managed in Sophos Central where Intercept X is not installed

You will see:

  1. An alert for the Server in Sophos Central reporting the detection and which IP address it came from:

    CryptoGuard detected a ransomware attack from 192.168.0.1

  2. An alert for the Computer in Sophos Central where the attack originated:

    CryptoGuard detected a ransomware attack from this device against SERVERNAME

  3. Two Application Event logs are created on the Server:

    • Task Category: Mitigation - detailing the IP address of the remote computer and the targeted files.
    • Task Category: CryptoGuard - detailing the IP address of the remote computer, the list of files and the attack being intercepted and blocked.

Note: In this state the server blocks any Write access requests from the remote computer.

Required actions:

  1. If you have a license for Intercept X:

    1. Install Intercept X to the computer triggering the remote attack to capture future attacks
    2. In Sophos Central select both alerts and click Mark As Resolved.

  2. If you do not have a license for Intercept X  see Ransomware: Information and prevention for information on troubleshooting issues.

From computers that are not managed in Sophos Central

You will see:

  1. An alert for the Server in Sophos Central reporting the detection and which IP address it came from:

    CryptoGuard detected a ransomware attack from 192.168.0.1

  2. Two Application Event logs are created on the Server:

    • Task Category: Mitigation - detailing the IP address of the remote computer and the targeted files.
    • Task Category: CryptoGuard - detailing the IP address of the remote computer, the list of files and the attack being intercepted and blocked.

Note: In this state the server blocks any Write access requests from the remote computer.

Required actions:

  1. If the computer is one in your estate:
    1. If you have a license for Intercept X:
      1. Install Intercept X to the computer triggering the remote attack to capture future attacks
      2. In Sophos Central select both alerts and click Mark As Resolved.

    2. If you do not have a license for Intercept X, see Ransomware: Information and prevention for information on troubleshooting issues.

  2. If the computer is not one in your estate (e.g. Bring your own device), we recommend blocking access to the network from the IP address reported so it is not a risk to other computers. This will need to be done via your own infrastructure (e.g. Firewall, proxies).

Adding Exclusions

When adding an exclusion for a CryptoGuard detection on a Windows server, the process being excluded will be locked until the Alert is acknowledged. To do this:

  • In Sophos Central select the alert and click Mark As Resolved.

CryptoGuard detection on Mac OS X platforms

Any detections can be seen in the Sophos UI, and on the Sophos Central dashboard. When a detection occurs, files that have recently been encrypted by the application in question will be restored, and the process blocked from modifying further files. Manual cleanup may be required.

If the system is licensed for CryptoGuard, Sophos Central can turn it on and off for systems. On the local computer, an icon will show in the Sophos Preferences window, allowing this service to be enabled/disabled (protected by Tamper Protection), once it has been enabled by Sophos Central for the first time.

This runs as a separate process called SophosCryptoGuard, and uses a kernel extension (kext) named SophosFileMonitor. These will not be loaded until CryptoGuard has been enabled in Sophos Central.

This will generate a Root Cause Analysis that is uploaded to Sophos Central. You can find out more in the KB Sophos Central Admin: Overview of Threat Cases 

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer