How to cleanup \windows\cryptoguard folder

Greetings, I am a recent hire at my company and new to Sophos. I have been asked to investigate why files are piling up in the C:\Windows\Cryptoguard folder. They have consumed 20GB on our c drive which nearly out of space.

Our environment is:

Related Software Versions (Operating System, Outlook, etc.): 
Windows 2016 DataCenter
Amazon EC2 r5.4xlarge

RAM 126.54
c drive 5gb free out of 74.9!!!!
Core agent 2.2.5
Server AV
Server Intercept X 2.0.8
Last update signature update 7/10,7/16

We do have Sophos central, though I haven't seen it yet. 

Based on searches it seems that this folder is used to hold files suspected of being ransomware, is that correct? Last night the Sophos was updated, and this morning there were 844 files added to the folder after reboot, where there had only been 6 since June.

Can someone please get me up to speed on what is going on and how to fix it? 

  • I would open a support case for this, you could have malware or it could be a false positive or have something to do with (if) how you are encrypting files on this server at rest or in motion that is causing Sophos to flag them.  Whatever the reason I would open a support case to get some help quicker than you may or may not get in here.

  • Hi  

    Cryptoguard monitors all files and creates a backup of them in the folder in c:\windows \cryptoguard\. We do not recommend to delete these files. I would request you to create a support case and PM me the details of the case so that I can have a close look. 

  • In reply to Shweta:

    Hi Steven,


    I would like to update this query: why files are piling up in the C:\Windows\Cryptoguard folder


    The latest version of Intercept-X has resolved the issue. - Released 26/03/19


    You can find more details on the below article