How to restore a file detected and deleted by Sophos Endpoint using Sophos Safestore

1.The purpose of the article

In this article, techbast will guide you how to recover a file detected and deleted by Sophos Endpoint.

2.Preparation steps

Techbast has prepared a server running Windows Server called adserver with Sophos Endpoint installed.

Prepare an application folder named SysinternalSuite that has been compressed with 7zip.

You can download the file SysinternalSuite here.

3. Configuration

On the adserver we will extract the SysinternalSuite zip file.

After extracting Sophos Endpoint will detect and identify 2 files pskill.exe and pskill64.exe as PUA.

Sophos Endpoint will delete these 2 files.

In the SysinternalSuite folder on the adserver, there are no longer 2 files pskill.exe and pskill64.exe.

In this tutorial techbast will show you how to restored the pskill.exe file that was deleted by Sophos Endpoint.

To restore login to Sophos Central with an admin account.

Go to Device > Servers > click on the adserver name.

Switch to the Event tab, at the line PUA detected: ‘Pskill’ at … click Details.

The Event Details panel will appear, we will choose the following:

  • Allow by: we can choose SHA256, Certificate: Microsoft Coporation or Path, here thegioifirewall will choose SHA 256 ( SHA-256 allows this version of the application. However, if the application is updated, it could be detected again. Using Certificate would also allow other applications with the same certificate.).
  • To help Sophos improve … : You can choose an available comment in the list.
  • Click Allow.

A success message will appear, and Sophos will also make an exception for this file for the adserver.

When an exception is generated, Sophos will no longer scan this file on the adserver when it occurs.

To see the Allowed Applications exception.

An exception for the pskill.exe file has been created.

The restored of this file is logged by Sophos Safestore.

To view the log, press Alt + R and enter the path %ProgramData%\Sophos\SafeStore\Logs and press Enter on the adserver.

Open the file safestore.log.

The line Savefile: C:\Users\Administrator…\pskill.exe is the line showing where the pskill.exe file was initially saved on the adserver.

The line Restored: C:\Users\Administrators…\pskill.exe is the line showing Sophos Safestore restored the pskill file and SysinternalSuite folder on the adserver.

To check if the pskill.exe file has been restored, we go back to the SysinternalSuite folder on the adserver.

We will see that the pskill.exe file has appeared in the folder.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.