New Threat Search

Good day,
In the new section New Threat Search, in Sophos Central someone had the opportunity to try it? A moment ago I did it with the hash of the wanna cry, and it did not show any results.
I would like to know if someone could try it and know if it works or not.
Thank you
regards
Mariano

  • I searched for:

    3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

    which is a version of psexec I have on my computer and it was found.

    Regards,
    Jak

  • In reply to jak:

    hi jak,
    I did the same search that you with that hash did not find anything, is there something special to configure for Threat Search to work?
    Thank you
    regards

  • In reply to mariano doque:

    Assuming that is the same checksum of the particular version you have. Finding the file on disk that has been picked up that file was signed on the 28th June 2016 so an old one.

    How long ago did you install the software at the client?  I suspect it takes a while to perform an inventory and upload the data.

    If I search the C:\ProgramData\Sophos\Endpoint Defense\Data\ directory for that hash value I find it in this SQLLite DB file:

    C:\ProgramData\Sophos\Endpoint Defense\Data\Edr Saved Data\EdrTrickleFeed.sqlite

    ...and in:
    C:\Program Files\Sophos\Endpoint Defense\
    I see SspEdr.exe which is launched as a child process to C:\Program Files\Sophos\Endpoint Defense\SSPService.exe, so I suspect there is a gathering and submit stage the EP needs to continually go through to supply the data to Central which will not happen immediately.

    Regards,
    Jak

  • In reply to jak:

    Jak

    Thank you very much for your response, I will try to update my pc and I will verify it again.

    Regards

  • In reply to mariano doque:

    Hi Mariano,

    The threat search allows you to search for potential threats on your network; this will not search like VirusTotal. 

    You said, 'I did it with the hash of the wanna cry, and it did not show any results.'

    I would hope this to be the case, i wouldnt expect wanna cry to be on your machine.

    Take a hash of a file on your machine, and then do a search.

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Hello Stephen McKay
    Thank you very much for clarifying the matter, I am going to prove it.
    Regards

  • In reply to mariano doque:

    I just did a search with the HASH value for PSEXEC and it found it on my machine.  At least I know it works.