This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weakness in EDR Tools

Hi  Sophos Community,

 I have read an article and wondering is Sophos EDR affected by the hooking technique use by attacker or has there been a patch or update for it?

Here is the article : https://beta.darkreading.com/vulnerabilities-threats/weakness-in-edr-tools-lets-attackers-push-malware-past-them

Thanks



This thread was automatically locked due to age.
Parents
  • I'm trying to look into this a bit. A few initial impressions:

    • It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
    • Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
    • I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

    If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

Reply
  • I'm trying to look into this a bit. A few initial impressions:

    • It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
    • Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
    • I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

    If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

Children