This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Cause Analysis show E-Mail Subject

Hi all,

 

when using the Root Cause Analysis would I be able to see the Mail which was carrying malicious software or would I only see Outlook.exe as the starting point? From what I can see it would only show Outlook.exe and I would have to guess which was the relevant mail (which could have been deployed to a bunch of people)

 

Thx & BR
Dan



This thread was automatically locked due to age.
  • The Sophos Data Recorder service is the component responsible for recording system activity.  It does this constantly in the background on a loop if you like.  This data includes processes created, modules loaded, file activity, network activity, etc..   It's not really "aware" of applications such as Outlook and how they structure data.

    When something interesting happens a snapshot of this data is taken so a RCA chain can be established and any artefacts that are part of that chain are referenced.

    In this case, unless there is a particular msg file that was read from disk by Outlook.exe that you could use to identify it I don't think it would be possible.

    You would need something to scan the Exchange Store to find the malicious attachment.  Something like PureMessage for Windows would do this.

    Beyond that, sorting at the client for emails with attachments in a relevant timeframe would be the easiest.  If it is detected by Sophos which I assume it must be, as the file becomes decoded from the MIME format to disk it would be picked up by the on-access scanner.

    Regards,

    Jak