Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 11281 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Where to find removed files?

IT Services26

HI,

Intercept X has removed a file. I whant to send it to Sophos Labs for analyzing. Where can I find it ? I do not whant to release it to get hold of it ;-) 



This thread was automatically locked due to age.

Top Replies

  • +1 suggested

    Hi,

    When an item is detected, a Sophos internal utility called Sophos Clean is used to cleanup the item. Customers using Sophos Central have the ability to restore files after they have been cleaned up. This feature is designed to allow the restoration of files and their associated permissions, registry keys e.t.c. after they have been incorrectly detected as malware and removed. BUT not all detected files will have an option to be restored, it is predominantly Portable Executable (PE) files that can be restored, this includes for example .exe.dll and .sys files, whereas documents and scripts like .doc.xls and .js aren't able to be restored.

    To restore a file after a detection, please do the following:

    1. Log in to Sophos Central.
    2. Locate the device where the detection occurred on.
    3. Select the Events tab.
    4. Locate the detection event (needs to be where it was detected, not the cleanup event).
    5. If there is a Details option on the right-hand side it means the file can be restored.

    6. After selecting the Details option you will then be presented with the Event details screen. This gives you information about the detection, the file, and its location. You will also be given the SHA-256 hash. This can be useful if you want to submit it to VirusTotal or contact Sophos Support with questions about this file. If the file is digitally signed you will also be given the certificate details.
    7. You have the following options to allow the detected file:
       
      • SHA-256: This will restore this file and any components that were cleaned up as part of this detection. 
      • Path: This will restore any files that have been detected and cleaned up in that location.
      • Certificate: This will restore all files signed with the same digital signature that has been detected and cleaned up.
       
    8. After allowing an application you will see a confirmation message with a link to the Allowed Applications section, you can use this section to review and revoke any previously allowed applications.

    Please give feedback if this helped you out!

    Best Regards

    Jump to answer
Parents
  • 0

    Hi,

    Are you wanted it analyzed because you think it is a false positive detection?

    The reason I ask, is you shouldn't restore a file unless you are confident it isn't malicious. When you restore it, it is basically whitelisted for your environment. 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    No, that's why I asked. I don't want to restore it to the default location. I was just thinking if there is maybe a quarantine folder where all those files are kept. The file that we are talking about is a inf file and I am wondering what is in that file. I need to examine it because the fle name indicates it is indeed malicious. The name is "fuckgothin.inf". Google search led me to believe it is pulling stuff from an IP address. 

  • 0 in reply to IT Services26

    Quarantined items are moved from SophosClean to the SafeStore which houses the unwanted/suspect data in an encrypted format. Files only can be restored/decrypted to their default location.

    There are two SafeStore quarantine folders:

    • Program Data\Sophos\SafeStore
    • Program Data\Sophos\Sophos Anti-Virus\SafeStore

    If you have Intercept X with EDR, you can do analysis also directly via Central. Maybe you just start a trial version if possible.

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • 0 in reply to IT Services26

    Intrusus is correct - the Safestore will have the file in an encrypted format - if it is under 75 MB - files larger than that are deleted instead of stored. 

    In this case, because it was blocked and cleaned - I would highly discourage restoring it. 

    You won't be able to read the file inside the safestore (because of the encryption) and we do that to prevent it from ever executing or being used by other elements on the system.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • 0 in reply to IT Services26

    Intrusus is correct - the Safestore will have the file in an encrypted format - if it is under 75 MB - files larger than that are deleted instead of stored. 

    In this case, because it was blocked and cleaned - I would highly discourage restoring it. 

    You won't be able to read the file inside the safestore (because of the encryption) and we do that to prevent it from ever executing or being used by other elements on the system.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner