OK so Sophos Intercept PriVGuard has detected malicious behavioour.....OK BUT FREAKING WHERE AND WHY?!

So I have this alert and I go to the cause tracker and attempt to pinpoint why suddenly InterceptX decided to alert me to PrivGuard Malicious behaviour but I can't find what caused the alert...sure it was chrome....but honestly saying: "Chrome caused it" it's like saying "it's MOM'S fault!" so in the end what the hell caused that and why am I getting it?!

 

It's stuff like that, that I don't think you are ready for a release, I mean your back track tool (which won't be named) is nice but it does not capture these points, sure I want to know who installed what and where but if my Chrome keeps pinging every 20 seconds because of a malicious behavior that was installed prior to the implementation of your solution then I would like to know where to look for and why.

  • The most detailed information about the specific alert from the HMPA component is probably in the 911 Application Event log. Can you post it?  I assume it's pretty much the same each time?

    The data captured in the generated snapshot file by the data recorder service (to create the RCA) might have some info you can use in the raw state. 

    You might find it under here: C:\ProgramData\Sophos\Sophos System Protection\Data\ ... in a tgz. 

    Regards,

    Jak