This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weakness in EDR Tools

Hi  Sophos Community,

 I have read an article and wondering is Sophos EDR affected by the hooking technique use by attacker or has there been a patch or update for it?

Here is the article : https://beta.darkreading.com/vulnerabilities-threats/weakness-in-edr-tools-lets-attackers-push-malware-past-them

Thanks



This thread was automatically locked due to age.
  • I'm trying to look into this a bit. A few initial impressions:

    • It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
    • Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
    • I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

    If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

  • As it turns out, we don't use user-mode application hooking for EDR.

  • I'm not sure why it's EDR focused - seems more general than EDR.

  • It is, but it's especially concerning for EDR, because EDR is supposed to provide a reliable log of what happened on an endpoint. If it can be tampered with, the log is no longer reliable, which means you could have gaps in detection or inaccurate information for an investigation.