Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 23771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard Was Detected

G33k

Hello,

 

A part of the alert that we receieve from Sophos says "What was detected: CryptoGuard" Isn't CryptoGuard Sophos's Intercept X component? Why does it say CrytoGuard was detected? Detecting its own product as malware?

 

Please throw some light on it.



This thread was automatically locked due to age.
Parents
  • 0

    Are you sure it's not a Crypoguard detection?  If so, you will have a 911 event ID in the application event log.

    The Event list at the endpoint would also reference this.

    C:\ProgramData\HitmanPro.Alert\Logs\sophos.log
    should also be useful.

    Regards,

    Jak

  • 0 in reply to jak

    Hello Jak,

     

    This is the alert that we received

    What happened: We detected ransomware trying to encrypt files.

    Where it happened: ---

    Path: ∕Applications∕Adobe Photoshop CC 2017∕Adobe Photoshop CC 2017.app∕Contents∕MacOS∕node

    What was detected: CryptoGuard

    User associated with device: ---

    How severe it is: High

     

    As it clearly says, CRYPTOGUARD was detected. Why does it say CryptoGuard was detected? What is CryptoGuard? Isn't it an Intercept X component? 

     

    Also, there are 100s of alerts over the week. Do you mean I should login into each of the PC and check the 911 event? That's ridiculous. Is there any way I can determine its a false positive without having to reach the user and get the logs. We manage 1000s of endpoints. Its not possible to request SDU everytime I get an alert. 

  • 0 in reply to G33k

    Cryptoguard is a component of Intercept X to prevent Ransomware.  I.e. a malicious process encrypting your important files.

    I can only assume that maybe there is some batch process taking place which is updating existing files at a rate that looks malicious.

    I think you'll have to open a ticket for this to understand why.  I'm guessing you're seeing thins just on Macs?

    Regards,
    Jak

  • 0 in reply to jak

    Yes! I say, almost only on Macs. What do you think is happening? Do we have to check the logs each time we get an alert?

  • 0 in reply to jak

    Also, why does the alert notification say "What was detected: CryptoGuard" What does it mean? If the application is detected as ransomware, why does it tag CryptoGuard as ransomware?

  • 0 in reply to G33k

    Hello G33k,

    That means that Cryptoguard detected ransomware activity. You can find more info in the path provided (looks like an Adobe app).

    Please follow these articles for next steps:
    CryptoGuard Ransomware Protection
    To find more details about a detection, see CryptoGuard detections on Mac OS X platforms

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply Children
No Data
Unfiltered HTML