Our SAP server’s backup process, that is using certutil.exe, is detected as a defense evasion threat. In details the detection is Detection ID: WIN-EVA-PRC-CERTUTIL-DECODE-1 Command Line: certutil -decode password.b64 password.txt File Path: C:\Windows…

Hello Everyone, I have tryied to search about this in the forum but couldn't find anything. My scenario is : XGS2100 Xstream protection + Endpoints with advanced Threat protection. I keep receiving this two alerts but I have tried to see what to do…

Hi to all, I'm confused about a cryptoguard detection, it seems they found ransomware on a component of sophos itself. id: {"type":3,"data":"10HWczOjodtRTCUtmJysJQ=="} family_id: a1e45bc2-168e-553c-f81a-5e712666d413 process_alias_path…

Hey Everyone, Scratching my head over how to deal with this PAU as I can't find much information on it on the old Google box. The identified PAU is PsExec located within the ZIP WPJCleanUp, PsExec as well as WPJCleanUp are legitimate Windows resources…

Good morning, We use Faronics Deep Freeze in our environment on shared-use PCs in classrooms and computer labs. We are experimenting with turning on data lake uploads to start using the threat analysis center, and the Deep Freeze detections are very…

hi, i have installed CIXA for server on few servers. on 3rd of AUG 23 few of my server in LAN upon which cixa for servers were not installed, got hit by ransomware , file extension becom gasprom, i also have XG 310 at gateway level and turned on ATP…

Sophos home, Since the 28th of october I've been getting a message stating a scan will start due to ransomware detected a few days ago. I perform a scan and nothing is found but everyday i get this message. The file mentioned in the history is, C…

Good day members. I Trust you are well. Our IPS report on Sophos Central shows the following IPS report. I have Traced the IP back to microsoft Data center. I would like to know is this a false positive as i have scanned the computers muliple times…

Hello, Is it possible to log or block if user tries to run any vba macro in office applications? Regards.

Hi I want to adding a appliction on device SJ32ACC but its told me error adding application , and I allow by SHA256 & key applicaion used by most organisations , could you help me to fix this issue ,thx?

Just as the subject asks: Can PSTools be excluded for a single machine (for Sophos admin)? if so, how can I create that exclusion so that it's not alerting every time I try to download and install it? I don't want to create a global exclusion because…

Open Powershell 7 Connect-IPPSSession -UserPrincipalName User@domain.com MS login processes starts by trying to open a browser window with a local host address and a random port. The connection is refused and the login process to MS stops localhost…

Hello. On some sophos endpoints the following error appears "Manual malware cleanup required: 'Unknown Threat' at 'null'". Could you tell me what this error refers to or how to solve it? The version in which this error appears is CoreAgent 2023.1.3.5…

Users are working with Microsoft office files on SMB shares on windows servers. When working inhouse all is fine. When they work remotely via Sophos SSL VPN Client, some users cannot save documents or excel sheets on the network shares because office…

I'm doing a POC with Crowdstrike and on the test computer we received a file that was detected as ( RegistryPersistEdit ) by Crowdstrike's machine learning. Sophos detected nothing and let the file make changes to the Windows registry. Sophos machine…

I want to exclude the following (example) from real-time scanning: This directory ( 26e9f183-6e80-4436-8461-a67d55c5e4b1) is randomized within the user's profile temp directory c:\Users\testuser\Temp\26e9f183-6e80-4436-8461-a67d55c5e4b1 These files…

Hello everyone, We get the following alert What happened: We could not clean up a threat. Where it happened: computer name Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe What was detected: AMSI/Reflect-KA How severe it…

Hi. We have Intercept X Advanced for Server with XDR on Windows 2012 Server Std ( not very fresh stuff ) and Intercept X Advanced for endpoints. My Q is: if I go for a vulnerability scanning on the server with - say tools like Nessus - should I got…

I found that HPMA can already intercept, but sophos doesn't seem to have fusion rules yet

This error occurs in all notifications, not in specific cases

06961063 / Detection for dbjammer Ransomware / ref:_00D301GN6a._5003Z1bh7RS:ref https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/ Securonix…

Hello, A client of ours has to download updates from their ERP software regularly and recently Sophos Endpoint has began flagging it as a PUA, we allowed the hash on the global exclusions, but as we know, each update would have a different hash. Is…

Anybody else tried using the "$" variable to exclude a filename and not work?? Looking at the article: Exploit mitigation or ransomware wildcards and variables - Sophos Central Admin Is says this: VariableExample $ All available drives. For…

Hi One of our customers did pen test. They run Nesson, port scan and all kind of queryies, in the Sophos portal nothing in the logs or in the detection. man in the middle, nothing from the Sophos and nothing in the logs. Mybe there is a problem…

Hi all, I know this is not the right forum but sophos home premium doesn't have a dedicated forum so since it is based on the same technologies as the endpoint version I will try to post here. Two questions the first of which is probably silly. 1…