This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Home Misses a Simulation

I ran a simulation from Barkley which is their Stackhackr test tool. I used the payload where it simulates stealing personal info like credentials from active LSASS processes. Sophos Home missed the file and the behaviour components missed the simulated active process. this may need some further investigation since this looks like a serious vulnerability.

 

Here is the exact test file: *Malicious content Removed*



This thread was automatically locked due to age.
Parents
  • Hi Enrick Ordono,

    ** I have edited your post to remove the downloadable link for the malware sample file.

    I checked the sample that you provided and I can assure you that it will be detected by Sophos Home as "Troj/MSIL-KAD". You can find the details in VirusTotal link result for the sample that you provided.

    Note: If you believe you have any malware samples that is not being detected, you can submit it to Sophos Labs or open a home ticket from your Sophos Home Dashboard.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hey, I agree with the reason on why you removed the link. I wiuld just like to clarify that the file is not in any way malicious. It is only a harmless file that SIMULATES malicious attacks such as file-less ransomware or credential theft through LSASS processes. I have tested Sophos with the file-less ransomware vector which Sophos correctly detects and blocks. Sophos did fail the credential theft scenario, and this is why I posted about it in the first place. Hope this clarifies anything.

    How It Works:

  • Hi Enrick Ordono,

    I understand that the intention of the application is not to actually perform the malicious attack and instead just simulate it. But its hard for the Anti-virus to differentiate it and hence it will be treated as malicious until we raise a false positive for the detection.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
No Data