This article covers the steps that can be taken by customers to investigate detections they believe might be incorrect.
Sophos aims to maintain the highest possible detection rate for malicious activity while ensuring the lowest possible false positive rate (incorrect detections) of non malicious files, there is however always a risk of a detection being incorrect. To help customers investigate potential false positives and resolve or report them we have provided the following advice.
The following sections are covered:
If you are investigating a detection because you believe it might be incorrect, you are most likely doing this because the files being detected are part of a legitimate application, or because a user has reported an issue with their device after a detection.
It is important to treat every detection as malicious and not authorize anything in your environment unless you are confident it is safe to do so.
For Potentially Unwanted Application (PUA) detections these are not malicious but might not be what you want running on a corporate network. PUA detections may have names such as:
As PUAs are not malicious it is up to you if you want these applications in your environment. For more details, take a look at What is a potentially unwanted application (PUA)?
For malicious detections that you may wish to investigate further, some example detection names are:
When investigating a detection it is essential to understand what information or context you already have about the file(s) being detected.
The table below displays a list of malicious and clean indicators. It is important to use these purely as an indicator and not confirmation of a file being malicious or clean. Even if a file exhibits all of the clean indicators it could still be malicious and likewise a clean file may show many suspicious indicators.
Detection of an unknown file, possibly with a random name, for example:
An executable file in a temp/user data location eg:
Executable files that have a name relevant to the location or application they have been detected in. For example:
C:\Program Files (x86)\Acme Software\Installer\Acme Setup.exe
*Please note that legitimate applications are routinely abused by malicious attackers who for example use exploits or inject code into these applications in order to make them take malicious actions.
For Sophos Intercept X customers, after a detection has been reported a Threat Case may be generated. These can be found by logging into Sophos Central and going to Threat Analysis Center > Threat Cases.
Threat Cases can provide you with context about a detection as well as the root cause of how the file got onto the computer. This gives you valuable information not only to help you understand the threats your network is facing but what improvements could be made to reduce your attack surface. For more information on Threat Cases, including real world examples, please see Sophos Central: Threat Cases overview
For example, in the below Threat Case for a Deep Learning ML/PE-A detection we can see the following (working left to right):
While Outlook, Word, CMD and Powershell are all legitimate applications, this Threat Case provides you information such as:
For more information about Threat Case and other examples please see: Sophos Central: Threat Cases overview
Sometimes it may help you to get an idea if a file is malicious or not by comparing the Sophos detection to that of other anti-virus vendors.
Websites like VirusTotal.com provide a very useful resource for helping you test this.
Virus Total is a free to use service (owned by Google):
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.
While Virus Total is a very powerful and easy to use resource it is only an indicator of what other anti virus vendors think about a file or URL and it shouldn't be used as confirmation that a file is malicious or clean. Even if every other vendor is also detecting the same file, it could be that they are wrong. Likewise if nobody is detecting it, that might be because this is a new zero-day attack that nobody has a detection for and not that it is a clean file.
The two easiest methods of using Virus Total for file analysis are:
If a file has been detected and already cleaned up you may not have a copy of it to upload. In these circumstances we suggest using the files SHA-256 hash.
For Sophos Central customers, locating the SHA-256 hash of a detected or suspicious file is normally easy, for details on how to do this please see: Sophos Central: How to locate a files unique SHA-256 hash.
Note: For Sophos Enterprise Console customers, if a suspicious file is not being detected or you have a copy of a detected file, you are advised to upload it to Virus Total as the easiest method. If you aren't able to do this, please contact Sophos Support for assistance.
After submitting a file or hash to Virus Total you will most likely be presented with one of four scenarios:
This is very strong indicator that the file is malicious and should be removed from your environment. A false positive is possible but unlikely and it wouldn't be advisable to authorize this file without contacting Sophos Support for further advice first.
In this situation, it is difficult to make a decision as the anti-virus vendors detecting the file might have just released protection and the rest are going to follow shortly, or often it can mean that the majority of vendors have looked at the file and decided they don't want to detect it, while a few have decided they do (unfortunately there is a lot of gray areas in malware). It may also mean that the file is clean and a few vendors have incorrectly detected it as malicious. In this scenario it is best to look out for the vendor names you recognize and believe to be reputable, for example detections from companies that have their own research labs are a better indicator, e.g. Sophos, Kaspersky, Microsoft, Symantec etc.
This is a strong indicator that the file is clean (not malicious), if you have no reason to think this file is suspicious, it is most likely safe to keep it in your environment. However, if you believe this file is suspicious, submit it to Sophos for further analysis via this page.
This is a potential indicator the file is malicious as many families of malware regularly change and update to avoid detection, or they may also be unique to every victim. However, this could also mean you have uploaded a clean but unique file, for example an application you or your organisation have developed internally, or a word document that you have written and uploaded. It helps to understand the context of the file.
Customers using Sophos Central have the ability to restore files after they have been cleaned up. This feature is designed to allow the restoration of files and their associated permissions, registry keys e.t.c. after they have been incorrectly detected as malware and removed.
Note: Not all detected files will have an option to be restored, it is predominantly Portable Executable (PE) files that can be restored, this includes for example .exe, .dll and .sys files, whereas documents and scripts like .doc, .xls and .js aren't able to be restored.
To restore a file after a detection, please do the following:
By allowing detections by:
Note: Allowing an application by any of the above methods will result in the SHA-256, Path or Certificate being whitelisted for your entire Sophos Central managed environment. This means if you had multiple devices detect the same file it will be restored on all of them.
If you are unsure please contact Sophos Support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.