Applies to: Sophos Home Premium (Mac) only
The below pop-up alert from Sophos Home is received saying that a ransomware is detected:
The terminated application is blocked until the user allows it to run, or the detection for this program is removed.
Cause
Sophos Home Premium's Cryptoguard component detects and blocks suspicious encryption processes that present ransomware-like behavior . If files have been encrypted, AND there are at least 3 gigs available on the computer's hard drive, Sophos Home will stop the process and decrypt the files (otherwise, if no available space, the process will get stopped, but files won't be decrypted).
For more details on how does this feature protect you, please visit: Information and prevention of ransomware
Solution
- Click on the File Encryption Blocked alert to show the event details.
- Click on the directory path as indicated on the details. This opens the file location.
- Do either of the following on the detected application:
- If the detected file or application is a false positive or you believe that it is incorrectly detected as a ransomware, click on View Dashboard.
This takes you to login to your Sophos Home dashboard to add this trusted application to your exceptions list. Doing this will no longer trigger the detection for this program. - Permanently delete the malicious file or program. To do this, click on the detected file or folder > press Option + Command + Delete (or right- click --> Move to trash, then empty the trash)
- Contact Sophos Home Support if you need assistance with these steps.
- If the detected file or application is a false positive or you believe that it is incorrectly detected as a ransomware, click on View Dashboard.
- Perform a full system scan right after deleting the threat, to ensure the computer is clean.
Note: CryptoGuard requires 3GB of available hard drive space to perform its file recovery function.