OK, I just installed intercept X from Sophos and the first thing it did was find all the files quarantined by Cylance. Funny thing is they were all on my C drive in the program data folder and so I am guessing that if you have Cylance installed on a VM and your host, the portal somehow also stores the quarantined files on the host? there were 99 to be exact. I think that a bit odd. I also got an e-mail saying there was an outbreak on my network lol. I have not looked over the portal all that much yet. And so Even though those files were from testmyav, even this detects them as malware/PUP's
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Aug 17, 2017
- 1,609
If you copy-pasted the mlaicious files in the VM, then the files get saved to the host by VMWare. VMWare writes them to ProgramData if I recall correctly.
The Cylance portal is not writing malicious files from your VM Guest to the Host system.
I think Cylance could prevent this from happening if they were to encrypt the quarantined files. It would be a handy improvement for them but I do not think they would add this even if it was requested... they are probably focusing on other things right now.
I use Virtual Box. Not sure VMware works. No copy and past. Files were downloaded directly to the downloads folder in the guest.
before installing Intercept, Cylance had quarantined them. I then disabled Cylance and installed Intercept. Intercept begin quarantining the files Cylance had already quarantined. I watched as Intercept was doing each one and the path was to C:/programdata/etc AS I said I didn't see how they could get there. those. I never copied any of the test files to my host.
There are reports that Cylance auto-move to quarantine does not function properly. You cannot go by what is listed in Cylance's quarantine list; you have to inspect the original and quarantine locations on the system. Did you check that the files were actually removed by Cylance quarantine ?
Well, then I don't know what happened. But I do know that the Cylance console is not writing malicious files to your system.
Yes, it is a head-scratcher indeed.I am going to poke around the cylance and intercept portal to see if anything shows up.
Is this related to what I reported that secondary scans will often detect files quaratined or under qualification by Cylance as malware? Those files, before/during qualification are flagged as hidden/locked. But often other products pick them up as active malware when in fact they are harmless files.
Or is this something different?
Or is this something different?
You are right about the secondary scan picking up already quarantined files. The problem was user error on my part. I thought Intercept was picking those off from my host because it showed program data folder and then a bell went off on my last grey matter brain cell. I had not enabled hidden files on my VM and of course program data is a hidden folder. So after enabling hidden folders, sure enough, the two files that were left were in there.
I was looking over the web portal a bit more. I have not read any user guide as of yet but did notice they incorporated HitmanPro Alert service. see screenshot
.
Ok, I talked with online chat support about a user guide and manual for Intercept. They provided a good video and PDF. It almost looks like you are supposed to set up the software before hitting down install file. I don't know. Anyone wanting to try their 30-day trial should take a look at these two sites. this might be a bit over my head.
https://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/PDF/scloud_30_heng.pdf
https://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/PDF/scloud_30_heng.pdf
That is usually how corporate product works, you setup the policy via the admin console and then create a pre-configured installer that you install on the chosen systems.
- Apr 13, 2013
- 3,224
It is important to note that Intercept X is not intended as a Standalone Desktop product for home users. Just like Symantec Endpoint (which is horrible in the Unmanaged setup, but not so as a centrally managed application), Intercept will lose quite a bit if installed in a vacuum. So if you see any testing done on it, keep this in mind.
But some fun facts:
1). Intercept will turn on (assuming the user has it off) UAC on install; not that this is an issue, but it does show how simply the UAC settings can be changed without user input. This is still better than Trend Micro, which will actually LOWER the UAC setting to what they think is proper.
2). Intercept certainly will install a bunch of stuff- all the services listed in Post 12 above (I actually counted 16), and about 20 actively running files.
3). Make sure you have an Admin Password setup up before installation- you will need it to shut off Tamper Protection for an uninstall.
4). Just one thing specific to Intercept X detection routine- it will, like Cylance, arbitrarily mark packed files as malware.
But some fun facts:
1). Intercept will turn on (assuming the user has it off) UAC on install; not that this is an issue, but it does show how simply the UAC settings can be changed without user input. This is still better than Trend Micro, which will actually LOWER the UAC setting to what they think is proper.
2). Intercept certainly will install a bunch of stuff- all the services listed in Post 12 above (I actually counted 16), and about 20 actively running files.
3). Make sure you have an Admin Password setup up before installation- you will need it to shut off Tamper Protection for an uninstall.
4). Just one thing specific to Intercept X detection routine- it will, like Cylance, arbitrarily mark packed files as malware.
Last edited:
- Apr 13, 2013
- 3,224
As long as your firm has some other Endpoint protection to cover Network connections, Intercept X is indeed fine- but only to augment an already preexisting Security setup- it is NOT a stand-alone. And hope that IT monitors and understands Firewall alerts.
- Status
Similar threads
