Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 3201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Home Misses a Simulation

Enrick Ordono

I ran a simulation from Barkley which is their Stackhackr test tool. I used the payload where it simulates stealing personal info like credentials from active LSASS processes. Sophos Home missed the file and the behaviour components missed the simulated active process. this may need some further investigation since this looks like a serious vulnerability.

 

Here is the exact test file: *Malicious content Removed*



This thread was automatically locked due to age.
  • 0

    Hi Enrick Ordono,

    ** I have edited your post to remove the downloadable link for the malware sample file.

    I checked the sample that you provided and I can assure you that it will be detected by Sophos Home as "Troj/MSIL-KAD". You can find the details in VirusTotal link result for the sample that you provided.

    Note: If you believe you have any malware samples that is not being detected, you can submit it to Sophos Labs or open a home ticket from your Sophos Home Dashboard.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    Hey, I agree with the reason on why you removed the link. I wiuld just like to clarify that the file is not in any way malicious. It is only a harmless file that SIMULATES malicious attacks such as file-less ransomware or credential theft through LSASS processes. I have tested Sophos with the file-less ransomware vector which Sophos correctly detects and blocks. Sophos did fail the credential theft scenario, and this is why I posted about it in the first place. Hope this clarifies anything.

    How It Works:

  • 0 in reply to Enrick Ordono

    Hi Enrick Ordono,

    I understand that the intention of the application is not to actually perform the malicious attack and instead just simulate it. But its hard for the Anti-virus to differentiate it and hence it will be treated as malicious until we raise a false positive for the detection.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • +1

    Hi Enrick,

    Thank you for sharing this information. We encourage people to test our products and give feedback. 

    I have checked this utility and would have to say that it's not a fair test to be honest. If the test is indeed passing, I would expect the developer to give some sort of proof that they were able to extract some/all the information in the LSASS memory space, but in this case there's only a test e-mail page. 

    I have thoroughly tested our Credential Theft Protection module around a case wherein I fired a series of attacks on LSASS remotely using Kali Linux and they all failed to give me something useful. 

    We even recently published a KBA - Sophos Intercept X: How to deal with CredGuard Detection

    I'm more than happy to check any other test that our product may be failing at! Feel free to PM me anytime. 

    Thanks,

    Vikas

  • 0 in reply to Vikas

    Thank you very much for the detailed information! I understand the explanation, and I’m very happy with what Sophos has to bring to the table with their Home products. Only one more component is missing. Otherwise, solid home solution.

Unfiltered HTML