in a recent analysis of a ransomware attack, where BitLocker was used to encrypt the disk, I found that the company was using Sophos.
In the folder
C:577-Sophos\AutoUpdate\data\warehouse I found some files that contain executable code and activate BitLocker, using command like the following from disk F: to Z:
manage-bde -on F: -rp 599368-358941-467368-368093-397672-261921-132506-522577 -sk C:\ -s
I’m not really into Sophos management and administration, but I read that the folder
warehous can be use as cache for the update installations.
Are these files false positive? Or the malicious actors could use Sophos to spread malicious commands?