Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 13082 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why sophos end point detected Abby findreader as ransomeware?

Jack M

Have installed   Abby findreader 3 weeks ago as i found its a legitimate program. However, to my surprise sophos detected it as ransomeware. Is it a false alert?



This thread was automatically locked due to age.
  • 0

    Hi,

    Can you paste the full description from the Application Event log entry (event id 911)?

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak,

    Thanks for responding. Attached is the info required.

    5100.event log.txt

     

  • 0 in reply to Jack M

    Hi  

    Please try excluding this application in the Central Admin by navigating to Global Settings > Global Scanning Exclusions > Add Exclusions > Detected Exploits (Windows) and selecting the cryptoguard detection. This should exclude the application from being detected as ransomware.

    You can also submit the file to Sophos Labs for reevaluation, please refer to the article Sophos Anti-Virus: "false positives" and "unwanted detections" and look for the topic "Submitting suspicious files, unwanted detections, and false positives"(the last topic in the article). 

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to Jack M

    I think it's just the nature of what this application (PDF Transformer?) [https://www.abbyy.com/support/pdftransformer/40/sr/] is doing when maybe bulk processing the files.  Clearly PDF is a file of interest with regards to Cryptoguard.

    I guess the conversion process, when running in bulk especially, looks at a file level a little bit like ransomware, opening files, changing them, maybe overwrite/rename/secure delete. I think making an exclusion for this is the best course of action.  You could submit a Support ticket with steps to reproduce, maybe they can tweak the logic but this is probably why exclusions/authorizations exist.

Unfiltered HTML