Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 3018 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Process flagged as Ransdomware

Jon Airey

We have several applications (console/web/service) that share some code to encrypt/decrypt files. Sophos intermittently flags this as Randsomeware whether it be form the host running the application or the file server. We have tried whitelisting the process names but still do see blocking issues. 

 

Wonding if there is some way to embed some meta data into the processes that Sophos can read and we can whitelist this on our end. Does anyone who if something like this is possible?



This thread was automatically locked due to age.
  • 0

    Hello Jon Airey,

    (please no crossposts)

    whitelisting the process names
    how did you try do it? AFAIK both Central Admin and SEC 5.5.1+ enable you to make exclusions - though this isn't done by whitelisting the process names but in response to the respective detections. If it's a Remote Detection the you'd likely have to turn off this feature on the server as the only identifying attribute of the assumed attack is the remote IP.

    Christian

  • 0

    Hi Jon Airey,

    For the reported false positive detections Open a support ticket and provide the following information:

    1. Information on the application triggering the detection.
    2. A copy of the following folder or gather all folders if multiple folders exist: C:\Windows\CryptoGuard\reverted_xxx.
    3. The output of the Sophos Diagnostic Utility (SDU).

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Unfiltered HTML