We just had our first hit for cryptoguard.

 We got an alert this morning that it stopped a ransomeware, but my only options are to mark it resolved or close it. I would like to find what click, process, action triggered the problem but I do not see anything in the logs that helps me. What am I doing wrong, what information do I need to provide the forum?


  • Hi  

    Intercept X provides you the Root Cause Analysis feature which allows you to view a list of infections. After clicking on one, you are directed to an overview page with a Summary about the threat including: Detection name, Root Cause, Possible Data involved, Where and When it took place.

    For more information on the Root Cause Analysis feature, please have a read of KBA: Sophos Central: Root Cause Analysis overview

    For more information on Cryptoguard detections and required actions, please have a read of KBA: Sophos Central Managed Server, Sophos Central Managed Endpoint: CryptoGuard detections and required actions

    Hope that helps.



  • In reply to Karlos:

    Duh, click on the file in the Artifacts list and a new pane opens on the right side. Thank you.

    Sophos actually found a  file left behind from a seven year old Ransomeware attack we experienced. We had removed and replaced from backup the affected files, but missed a directory. When a file from that directory was accessed this morning, Sophos caught it and stomped it

    As an aside, who decided that light grey on white was a good UI design? I am seeing that all over software and the internet and it is very very hard to use. Just my Friday rant.