Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 25335 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

DavideP

As far as I know the hash of the files that have been detected by Sophos agent on clients are not logged (neither on Console DB or at client side) Am I wrong?

Is there a way to retrieve the MD5, SHA1 or whathever hash for the files detected as malicious from the Sophos agent running on the client? 

There is also a feature request about this here:

 - http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/7060110-sophos-enterprise-console-write-hash-value-in-mss

we tested this on Sophos Enterprise Console 5.2.2: does v. 5.3 includes this basic feature?

I think this feature should have high priority to support the Incident Response phases.

:56715


This thread was automatically locked due to age.
Parents
  • 0

    Sorry about the confusion, as VIP I thought you where working for Sophos.

    Anyway, a good use case is the Stacking techniques, that might includes also file hashes :

    https://www.mandiant.com/blog/indepth-data-stacking/

    I would say in general that AntiViruses shouldn't be the only source of trust, but they can still provide useful headsup for investigation. Providing detected hashes of suspicious files is an example of information that you can use to extend the analysis of status / health-check of your company's assets.

    :56842
Reply
  • 0

    Sorry about the confusion, as VIP I thought you where working for Sophos.

    Anyway, a good use case is the Stacking techniques, that might includes also file hashes :

    https://www.mandiant.com/blog/indepth-data-stacking/

    I would say in general that AntiViruses shouldn't be the only source of trust, but they can still provide useful headsup for investigation. Providing detected hashes of suspicious files is an example of information that you can use to extend the analysis of status / health-check of your company's assets.

    :56842
Children
No Data
Unfiltered HTML