• Sophos AMSI Protection Logging - Turn Off

    Jerome Nillasca
    Jerome Nillasca
    Dear All, Hope you are all doing well. I have a question regarding AMSI Sophos Protection. Is it okay to turn off AMSI logging? Turn off AMSI logging to resolve compatibility issues – Sophos Home Help Since we upgraded our workstations to Windows…
    • 10 months ago
    • Sophos Endpoint
    • Discussions
  • Disable automatic cleanup of PUA

    Lukas_lzs
    Lukas_lzs
    Hey there. I know this question has been asked a few years back, but i hope there is an update to this. I deployed Sophos CIXA on my PC and it started automatically deleting some of my trusted software i use as a network technician. The files…
    • Answered
    • 11 months ago
    • Sophos Endpoint
    • Discussions
  • SOPHOS and Hanwha camera servers with Windows OS.

    Sid Wallace
    Sid Wallace
    I am the admin for quite a number of Hanwha camera servers. Several in particular are in a school system. Once our servers were installed, unknown to us, they deployed SOPHOS on the servers. Now we are seeing numerous crashes, lockups, packet losses and…
    • 11 months ago
    • Sophos Endpoint
    • Discussions
  • Licensed XDR with NDR sensor?

    Andre Soares
    Andre Soares
    Hello, We have the Intercept X Advanced with XDR license, will we need a new license if we want to implement the NDR Sensor or does our license already include this sensor? When will it be released? Thanks André Soares
    • 11 months ago
    • Sophos Endpoint
    • Discussions
  • Sophos Endpoint - Cryptoguard Log Location

    Kyle Gibson
    Kyle Gibson
    My employees accidentally cleared an alert in Sophos Central for a ransomeware attack. Doing so erased all the detail information (File locations, etc.) Can someone point me to the log location so I can get that information from the log?
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Exclude Threat Detection "TA0005 - Defense Evasion"

    Colsam
    Colsam
    Our SAP server’s backup process, that is using certutil.exe, is detected as a defense evasion threat. In details the detection is Detection ID: WIN-EVA-PRC-CERTUTIL-DECODE-1 Command Line: certutil -decode password.b64 password.txt File Path: C:\Windows…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Sophos keeps notifying c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exec_28a (T1059.001) and Exec_6a (T1059.001)

    Matteo Vinti
    Matteo Vinti
    Hello Everyone, I have tryied to search about this in the forum but couldn't find anything. My scenario is : XGS2100 Xstream protection + Endpoints with advanced Threat protection. I keep receiving this two alerts but I have tried to see what to do…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Cryptoguard detect ransomware in $programfiles\Sophos\Endpoint Defense\SEDService.exe

    LMSIIATO
    LMSIIATO
    Hi to all, I'm confused about a cryptoguard detection, it seems they found ransomware on a component of sophos itself. id: {"type":3,"data":"10HWczOjodtRTCUtmJysJQ=="} family_id: a1e45bc2-168e-553c-f81a-5e712666d413 process_alias_path…
    • Answered
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Manual PUA cleanup required: 'PsExec'

    Andrew Rouse
    Andrew Rouse
    Hey Everyone, Scratching my head over how to deal with this PAU as I can't find much information on it on the old Google box. The identified PAU is PsExec located within the ZIP WPJCleanUp, PsExec as well as WPJCleanUp are legitimate Windows resources…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Is it possible to exclude a process from data lake detections?

    Travis_Dadmin
    Travis_Dadmin
    Good morning, We use Faronics Deep Freeze in our environment on shared-use PCs in classrooms and computer labs. We are experimenting with turning on data lake uploads to start using the threat analysis center, and the Deep Freeze detections are very…
    • Answered
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • data exfiltration from server

    Ahmad
    Ahmad
    hi, i have installed CIXA for server on few servers. on 3rd of AUG 23 few of my server in LAN upon which cixa for servers were not installed, got hit by ransomware , file extension becom gasprom, i also have XG 310 at gateway level and turned on ATP…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Since the 28th of october I've been getting a message stating a scan will start. I perform a scan and nothing is found but everyday i get this message.

    Malcolm McFarlane
    Malcolm McFarlane
    Sophos home, Since the 28th of october I've been getting a message stating a scan will start due to ransomware detected a few days ago. I perform a scan and nothing is found but everyday i get this message. The file mentioned in the history is, C…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • IPS FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt

    Louis Havenga
    Louis Havenga
    Good day members. I Trust you are well. Our IPS report on Sophos Central shows the following IPS report. I have Traced the IP back to microsoft Data center. I would like to know is this a false positive as i have scanned the computers muliple times…
    • over 1 year ago
    • Sophos Central
    • Discussions
  • Block or log if user run any vba macro in office

    Onur Akcay
    Onur Akcay
    Hello, Is it possible to log or block if user tries to run any vba macro in office applications? Regards.
    • over 1 year ago
    • Sophos Central
    • Discussions
  • Can't adding application

    Adam Guan
    Adam Guan
    Hi I want to adding a appliction on device SJ32ACC but its told me error adding application , and I allow by SHA256 & key applicaion used by most organisations , could you help me to fix this issue ,thx?
    • over 1 year ago
    • Sophos Central
    • Discussions
  • Can PSTools be excluded for a single machine (for Sophos admin)?

    PaulC-SA
    PaulC-SA
    Just as the subject asks: Can PSTools be excluded for a single machine (for Sophos admin)? if so, how can I create that exclusion so that it's not alerting every time I try to download and install it? I don't want to create a global exclusion because…
    • Answered
    • over 1 year ago
    • Sophos Central
    • Discussions
  • Network threat Protection - Blocking PowerShell Login to MS Compliance search via the Localhost browser address

    jp_2006
    jp_2006
    Open Powershell 7 Connect-IPPSSession -UserPrincipalName User@domain.com MS login processes starts by trying to open a browser window with a local host address and a random port. The connection is refused and the login process to MS stops localhost…
    • Answered
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Manual malware cleanup required: 'Unknown Threat' at 'null'

    Antonio Lizares
    Antonio Lizares
    Hello. On some sophos endpoints the following error appears "Manual malware cleanup required: 'Unknown Threat' at 'null'". Could you tell me what this error refers to or how to solve it? The version in which this error appears is CoreAgent 2023.1.3.5…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Sharing violations on SMB share, Office, tmp files when saving (file in use by someone else)

    LHerzog
    LHerzog
    Users are working with Microsoft office files on SMB shares on windows servers. When working inhouse all is fine. When they work remotely via Sophos SSL VPN Client, some users cannot save documents or excel sheets on the network shares because office…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Sophos machine learning doesn't work?

    Andre Soares
    Andre Soares
    I'm doing a POC with Crowdstrike and on the test computer we received a file that was detected as ( RegistryPersistEdit ) by Crowdstrike's machine learning. Sophos detected nothing and let the file make changes to the Windows registry. Sophos machine…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Real-Time Scan Exclusion Variable\WildCard Confirmation

    Yogi_Bear_79
    Yogi_Bear_79
    I want to exclude the following (example) from real-time scanning: This directory ( 26e9f183-6e80-4436-8461-a67d55c5e4b1) is randomized within the user's profile temp directory c:\Users\testuser\Temp\26e9f183-6e80-4436-8461-a67d55c5e4b1 These files…
    • Answered
    • over 1 year ago
    • Sophos Central
    • Discussions
  • AMSI/Reflect-KA Detection

    Jones Malhotra
    Jones Malhotra
    Hello everyone, We get the following alert What happened: We could not clean up a threat. Where it happened: computer name Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe What was detected: AMSI/Reflect-KA How severe it…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Intercept X Advanced for Server with XDR

    Vincenzo Montoleone
    Vincenzo Montoleone
    Hi. We have Intercept X Advanced for Server with XDR on Windows 2012 Server Std ( not very fresh stuff ) and Intercept X Advanced for endpoints. My Q is: if I go for a vulnerability scanning on the server with - say tools like Nessus - should I got…
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • Can endpoint defense now intercept DSyscall process injection?

    ong! L
    ong! L
    I found that HPMA can already intercept, but sophos doesn't seem to have fusion rules yet
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
  • The Chinese characters in the notification on the WINDOwS10 Chinese system are garbled

    ong! L
    ong! L
    This error occurs in all notifications, not in specific cases
    • over 1 year ago
    • Sophos Endpoint
    • Discussions
<>