Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
This article provides an overview on the Threat intelligence information displayed in Central for a Threat Case.
This feature is only available to customers with an Intercept X or Intercept X Advanced with EDR license.
Threat cases let you investigate and clean up malware attacks. You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.
If you have an Intercept X Advanced with EDR license, you can also do the following:
Applies to the following Sophos product(s) and version(s) Central Intercept X Sophos Central Admin
The following sections are covered:
The threat cases analysis screen displays a simplified event chain, summary, details of the artifacts (processes, files, keys) affected, and a diagram showing how the threat developed. The following example displays a HPmal/Eicar-A detection triggered by downloading a file sophos_hips_test.exe from a website using Internet Explorer 11:
Selecting a portable executable (PE) file in the view will launch a Threat Intelligence fly-out window. This provides further process details, such as the reputation of the file, path, name, PID, the executing user, SHA256, start/end time and duration. The following example shows the available intelligence on the process associated with Internet Explorer 11:
For files that have not been submitted and to see further detailed intelligence click Request latest intelligence. This will send a request to the computer to upload the file to SophosLabs. The following will appear whilst the file is being uploaded:
Note: If the file no longer exists on the computer, this operation will fail.
Once the file has been analysed, the following additional information will be displayed:
This page shows an assessment of the item's reputation and tells you if you need to investigate.
The reputation score signifies the trustworthiness of a file. Sophos scores the reputation of a file on sliding scale from 0 (Bad) and 100 (Good).
Known clean files are marked in the GREEN section of this scale and known malicious files are marked in the RED section.
The reputation score for a file goes up or down this scale based on many factors, including when and how many times was the file seen by Sophos and the static/behavioral properties for the file.
When a file is seen for the first time it may get a reputation in the Unknown range (orange) as it is a new file. After Sophos has had a chance to evaluate the file the reputation score may move to the Known bad or Known good range.
This page shows the files reputation and prevalence. It also summarizes the results of our machine learning analysis, which indicate how suspicious the file is:
The prevalence level can how often the file has been seen by SophosLabs (eg. rare, low, medium, common popular). First seen is the time-stamp of when the file was first seen in the wild by SophosLabs. Last seen is the time-stamp of when the file was last seen in the wild by SophosLabs.
This page provides further information on the Machine learning analysis information from the Report summary page:
The Attribute output shows what proportion of clean to malicious files have those particular properties. The information under Known bad files and Known good files provides a way to determine how suspicious the attributes are and can be used to work out whether your file is more likely to be good or bad. The following provides information on a number of the attributes you may see listed:
The Code similarity output shows whether the file matches a list of known good or known bad files and reports the closest matching files. Along with the Attribute output this can be used to determine whether your file is more likely to be good or bad.
The File/path output shows whether the file path matches a list of known good or known bad file paths. Along with the Attribute and Code similarity output this can be used to determine whether your file is more likely to be good or bad.
This page provides further information on the file itself such as Product, File type, Copyright information, File version, Company name, File size and timestamp:
This page provides further detailed information on the actual file such as Certificate details, PE file sections and PE imports:
The PE file sections table displays information such as code, data, imports, resources. Section names may indicate certain packers, certain compilers, certain functionality, etc. Malware can make it really obvious and have strings in there that shout out "I'm bad". Expletives, functionality, slang, etc.
There is also information detailing how big the various sections are, on disk and in memory. Sometimes a section will be very small or very big, and sometimes only on disk or in memory. You also get the entropy of the section, and whether it's Readable, Writable, or Executable. All of this helps understand whether the section is packed, contains data, contains code, is weird or unusual.
For further information on Section Table see https://docs.microsoft.com/en-gb/windows/desktop/Debug/pe-format#section-table-section-headers.
The PE imports section shows what DLLs code gets used from, and it expands out to show specifically what APIs are imported from them. You can see DLLs used for network activity, or APIs that might help password extraction. Again the DLLs may be really obvious names, or may be specific enough that searching for them in a web browser indicates that they're suspicious or malicious, and hence that the file importing from them is the same.
You may also see PE exports which shows what code it makes available for other files to use. And again, this could be generic, or very obviously bad.
For further information on PE imports see https://docs.microsoft.com/en-gb/windows/desktop/Debug/pe-format#import-library-format. For further information on PE exports see https://docs.microsoft.com/en-gb/windows/desktop/Debug/pe-format#the-edata-section-image-only.
Click Search to find more examples of the selected file on your network. You can also do searches from the Threat Searches page or from the Threat Searches pane in the Dashboard. For more information
If a file is suspicious, you can use Clean and block. This cleans up the file (and associated files and keys) on any computer it's already on. It also adds it to a blocked list so that it can't run on other computers.
Blocked items can be accessed on the Settings > Blocked Items page.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.