Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Reaching out to the community because I can't find any further info in Sophos' documentation. Have alerts for a machine hit with CXmail/EncDoc. Have deleted the infected doc but would like to know:
1. What does it do and could it have downloaded or spawned other malware, spawned process, stolen credentials, logged keystrokes etc etc. Need this both to check for evidence of other actions and to log it internally.
2. Having just deleted the infected file is that all the remediation I need to do? Have scanned the machine since removal and got a green light but this feels a bit lightweight in terms of ensuring the machine can be returned back into service.
All the best
What application did you open or download the doc with and how did you open.
ONLY an Example-
i.e. if you download an attachment from outlook and open in word it is where you saved it, plus in the temp folders for word.
If you opened it through outlook via preview it would be in the temp folders for outlook.
There is a Sophos page here: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/CXmail~EncDoc-B.aspx
What I have been trying to figure out is. Does Sophos give malicious code their own Sophos approved name or is this something generic used everywhere, each time I search for them the only reference I find is Sophos which leans me towards their own naming.