Advice Request intercept X

  • Thread starter ForgottenSeer 69673
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
F

ForgottenSeer 69673

Thread author
OK, I just installed intercept X from Sophos and the first thing it did was find all the files quarantined by Cylance. Funny thing is they were all on my C drive in the program data folder and so I am guessing that if you have Cylance installed on a VM and your host, the portal somehow also stores the quarantined files on the host? there were 99 to be exact. I think that a bit odd. I also got an e-mail saying there was an outbreak on my network lol. I have not looked over the portal all that much yet. And so Even though those files were from testmyav, even this detects them as malware/PUP's
 
5

509322

Thread author
OK, I just installed intercept X from Sophos and the first thing it did was find all the files quarantined by Cylance. Funny thing is they were all on my C drive in the program data folder and so I am guessing that if you have Cylance installed on a VM and your host, the portal somehow also stores the quarantined files on the host? there were 99 to be exact. I think that a bit odd. I also got an e-mail saying there was an outbreak on my network lol. I have not looked over the portal all that much yet. And so Even though those files were from testmyav, even this detects them as malware/PUP's

If you copy-pasted the mlaicious files in the VM, then the files get saved to the host by VMWare. VMWare writes them to ProgramData if I recall correctly.

The Cylance portal is not writing malicious files from your VM Guest to the Host system.
 

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
I think Cylance could prevent this from happening if they were to encrypt the quarantined files. It would be a handy improvement for them but I do not think they would add this even if it was requested... they are probably focusing on other things right now.
 
F

ForgottenSeer 69673

Thread author
If you copy-pasted the malicious files in the VM, then the files get saved to the host by VMWare. VMWare writes them to ProgramData if I recall correctly.

The Cylance portal is not writing malicious files from your VM Guest to the Host system.

I use Virtual Box. Not sure VMware works. No copy and past. Files were downloaded directly to the downloads folder in the guest.
before installing Intercept, Cylance had quarantined them. I then disabled Cylance and installed Intercept. Intercept begin quarantining the files Cylance had already quarantined. I watched as Intercept was doing each one and the path was to C:/programdata/etc AS I said I didn't see how they could get there. those. I never copied any of the test files to my host.
 
5

509322

Thread author
I use Virtual Box. Not sure VMware works. No copy and past. Files were downloaded directly to the downloads folder in the guest.
before installing Intercept, Cylance had quarantined them. I then disabled Cylance and installed Intercept. Intercept begin quarantining the files Cylance had already quarantined. I watched as Intercept was doing each one and the path was to C:/programdata/etc AS I said I didn't see how they could get there. those. I never copied any of the test files to my host.

There are reports that Cylance auto-move to quarantine does not function properly. You cannot go by what is listed in Cylance's quarantine list; you have to inspect the original and quarantine locations on the system. Did you check that the files were actually removed by Cylance quarantine ?
 
F

ForgottenSeer 69673

Thread author
There are reports that Cylance auto-move to quarantine does not function properly. You cannot go by what is listed in Cylance's quarantine list; you have to inspect the original and quarantine locations on the system. Did you check that the files were actually removed by Cylance quarantine?
Yes, then removed from Cylance quarantine by Intercept.
 
  • Like
Reactions: oldschool
F

ForgottenSeer 58943

Thread author
Is this related to what I reported that secondary scans will often detect files quaratined or under qualification by Cylance as malware? Those files, before/during qualification are flagged as hidden/locked. But often other products pick them up as active malware when in fact they are harmless files.

Or is this something different?
 
F

ForgottenSeer 69673

Thread author
Is this related to what I reported that secondary scans will often detect files quaratined or under qualification by Cylance as malware? Those files, before/during qualification are flagged as hidden/locked. But often other products pick them up as active malware when in fact they are harmless files.

Or is this something different?

You are right about the secondary scan picking up already quarantined files. The problem was user error on my part. I thought Intercept was picking those off from my host because it showed program data folder and then a bell went off on my last grey matter brain cell. I had not enabled hidden files on my VM and of course program data is a hidden folder. So after enabling hidden folders, sure enough, the two files that were left were in there.
 
F

ForgottenSeer 69673

Thread author
I was looking over the web portal a bit more. I have not read any user guide as of yet but did notice they incorporated HitmanPro Alert service. see screenshot
ScreenHunter_114 Aug. 20 15.01.jpg
.
 
F

ForgottenSeer 69673

Thread author

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
It is important to note that Intercept X is not intended as a Standalone Desktop product for home users. Just like Symantec Endpoint (which is horrible in the Unmanaged setup, but not so as a centrally managed application), Intercept will lose quite a bit if installed in a vacuum. So if you see any testing done on it, keep this in mind.

But some fun facts:
1). Intercept will turn on (assuming the user has it off) UAC on install; not that this is an issue, but it does show how simply the UAC settings can be changed without user input. This is still better than Trend Micro, which will actually LOWER the UAC setting to what they think is proper.
2). Intercept certainly will install a bunch of stuff- all the services listed in Post 12 above (I actually counted 16), and about 20 actively running files.
3). Make sure you have an Admin Password setup up before installation- you will need it to shut off Tamper Protection for an uninstall.
4). Just one thing specific to Intercept X detection routine- it will, like Cylance, arbitrarily mark packed files as malware.
 
Last edited:
F

ForgottenSeer 69673

Thread author
3). Make sure you have an Admin Password setup up before installation- you will need it to shut off Tamper Protection for an uninstall.
oppps. I should have watched the video first.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
As long as your firm has some other Endpoint protection to cover Network connections, Intercept X is indeed fine- but only to augment an already preexisting Security setup- it is NOT a stand-alone. And hope that IT monitors and understands Firewall alerts.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top