Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 12 subscribers
  • Views 6404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What does Sophos Intercept X Advanced do when it detects a file as infected? What is the next step?

Kandarp Desai1

Hi All,

One of our potential customers asked us what does Sophos Intercept X Advamced (cloud version) do when it detects a file as infected. According to me it follows this process but I am not sure that is correct.

Step 1- It will block access to the file

Step 2- It will try to cleanup file(if automatic cleanup is enabled

Step 3- If cleanup fails then it will ask for manual cleanup.

I want to understand what does CLEANUP mean. Will it remove the infected part and restore the original file?(very improbable as the virus could have messed with the file) OR does it directly go for deletion of file?

If some important file is infected, will Sophos directly delete the entire file? ( I say this because i tested this on one file and Sophos just deleted it and it says threats cleaned up) Does Cleanup= Delete OR blockaccess OR disinfect.

Can someone please help me to understand the sequence of decisions taken by Sophos on finding infected file?

I saw one explaination by QC in this thread too:



This thread was automatically locked due to age.
  • +1

    Hi Kandarp,

    If "Automatic Cleanup" is enabled, Sophos will remove the infected file. If Automatic Cleanup is disabled or the cleanup fails then it will be put in the quarantine till manual cleanup can occur wherein it will block access.

    Disinfection is a very ambiguous process because in some cases you know where the legitimate file starts/ends and the malicious code starts/ends but it's never the same case to case. For instance, in an infected .docm, you can just strip macros, but what about a code caved Putty executable?

    I'm fairly certain there is no "disinfection" process in Sophos AV/IX, if someone can correct me if i'm wrong as I've never thought about it.

    Emile

  • 0 in reply to Emile Belcourt

    Hi Emile, Thanks for your reply.

    I think also there is no quarantine folder as such ? The file is quarantined(blocked access) at the same location where it is. Please correct me if i am wrong.

  • +1 in reply to Kandarp Desai1

    Hello Kandarp,

    Yes, that is correct, the file is locked in the location it was found in :)

    Emile

  • 0 in reply to Emile Belcourt

    How does Sophos lock a file that is already in process with another application?  

  • 0 in reply to bad robot

    Hi Grifter,

    AFAIK, now this is like those memories in a shoebox under your stairs so someone may have to double check.

    If an exploit is detected, it is blocked then Sophos Clean is activated to examine the processes, files and memory segments in use for malicious activity. If clean detects the file in use has malicious content then i believe it removes the processes locks and attempts cleanup. If this fails it will re-attempt with the process closed.

    I'm fairly certain that is the case, but as i said that's a shoebox under the stairs memory.

    Emile

Unfiltered HTML