CryptoGuard detected IP that tries to encrypt network share | Whitelist

Hi NXKI 

Please refer to this document as you can't whitelist that from your end. You need to report it as false positive.

Thanks for the reply but the document is not helpful. 

• Do nothing, the application will continue to be blocked

         Thats not working because the Tool needs the write access to the share on the file server 

• Turn off Protect document files from ransomware (CryptoGuard) in the Enterprise Console Exploit prevention policy to prevent the detection. Limit this to the affected computer/s.
  That is not a good Idea to turn off this feature on a File Server System. That why we bought it. 
  
  
• Acknowledge the alert. The detection will continue to be blocked until acknowledged.
  Thats also no solution cause the event will be triggered again and interrupt the documentation program. 
  
  
• Add an exclusion for the detected application only if the application is fully trusted by the customer.
  Which Application ? Its an IP detection that gets blocked.

Please help

Thanks for the reply but the document is not helpful. 

• Do nothing, the application will continue to be blocked

         Thats not working because the Tool needs the write access to the share on the file server 

• Turn off Protect document files from ransomware (CryptoGuard) in the Enterprise Console Exploit prevention policy to prevent the detection. Limit this to the affected computer/s.
  That is not a good Idea to turn off this feature on a File Server System. That why we bought it. 
  
  
• Acknowledge the alert. The detection will continue to be blocked until acknowledged.
  Thats also no solution cause the event will be triggered again and interrupt the documentation program. 
  
  
• Add an exclusion for the detected application only if the application is fully trusted by the customer.
  Which Application ? Its an IP detection that gets blocked.

Please help

Hello NXKI 

This document has the different scenarios for Cryptoguard detections and actions that are available and should be performed on both the server, and an endpoint where the detection was coming from.

Can you simply just help me rather then posting knowledge base article ?

As you can see it seems I have read them and still dont understand what to do. 

Also you can force one of your colleagues to reply to my high importance sophos case that is open till 2 days with out help: [#9844453] 

THANKS

Hi NXKI 

Thank you for the case number.

I have reviewed the case and can see that you replied on the case after following up from the assigned engineer. 

I'd still suggest you collect the SDU from the Server which is in question and also from one of the clients which are used to access this application.

I'll let him know to get back to you as soon as possible once he has all the information regarding the situation and the logs.

Thanks for the reply.

I will submit both immediately to the case. 

Hi NXKI 

You're welcome. I have also informed the assigned engineer about the case.

I got a quick phone call from a technician and I should submit the SDU's.

I send the SDU's logs 5 days ago and now we still dont get a reply.

Currently our company cant deliver some products because of this issue we cant generate documantations for the product.

Please force the technican again to reply to the case or call us. (That seems to have helped last time)

Hi NXKI 

I have informed the engineer to respond to the case as soon as possible.

This was not the solution. Case is still open. 

To keep this post up-to-date:

The case was finally solved today together with the Sophos Support (28.05.2020).

I will write shortly how I fixed it because I hate it, when I search for a problem and found a forum-post but with no solution.

Solution and way:

I checked the HitmanPro.Alert-Event Log on our File-Server. In the Event Logs I could at least see what the "detected IP" tries to access.

Very soon we detected that its a folder where a documentation Programm saves all his files for translating documents.

With the folder we could find out the program on the "detected IP" clients.

Now you need to go to Global Settings in Sophos Central => Global Exclusions => "Add Exclusion" => Exploit Mitigation => click on "Application not listed?" => Type in the complete path of the *.exe you want to exclude => turn off "Protect Application" below an click on "Add".

Its to bad that Sophos Central don't give clear reports and logs in this case like the "Threat Analyses Center". It tooks a complete month together with the Sophos Support + more than 10GB of Logs for the Support to find out what "CryptoGuard detected IP that tries to encrypt network share" means and which program is the reason and how we can whitelist it. Also the Knowledgebase articles are very useless in this case.

Hi NXKI 

Thank you for writing up the fine note which will help other users as well in the future.

I understand your concern regarding the time of resolution, Sorry for that inconvenience but glad that issue was finally got resolved.