Known Issues with AMSI and IPS EAP (Updated 3 December 2019)

This document contains the list of currently known issues with the New Endpoint Protection Features in the Early Access Program for AMSI and IPS. The document will be updated if new issues are encountered or need clarification, or when issues are solved. 

Known Issues List for AMSI and IPS EAP - 2019-12-03.pdf

  • Hi, I ran some tests about trying to exploit Sophos endpoint with Metasploit Framework and such tests were successful, also, I had open a ticket detailing all the test steps.


    Basically Sophos EAP AMSI features and its addon base policies didn't detect the attacks, on the other hand, another try with the same method in a computer running with Windows Defender as endpoint and the process was detected and blocked successfully. All the policies related to the AMSI and Shellcode was enabled during the performed tests.

    The case opened was: #9418224

    How this is an important case, since the customer was passing by a security test made by a security service provider at the moment, I need urgently to resolve this issue about the exploit in order to keep Sophos as the protection brand on the customer. The attack surface is also described in the case above.

    Thanks in advance. 

  • Hi Pedro,

    Thank you for sharing this info. I have been informed of this case, and have given advise to the team on how to proceed.

    It looks like we'll need to collect more information, as the SDU logs provided don't contain any information on the root cause.

    We think it is a very important case indeed for several reasons, so rest assured we keep following it up. Support be in touch with you shortly for further steps on collecting more information.


  • Ok, thanks Vince, I'll do the next tests do see what's coming next. I'll keep you informed.

Reply Children
No Data