Known Issues with AMSI and IPS EAP (Updated 3 December 2019)

Hi, I ran some tests about trying to exploit Sophos endpoint with Metasploit Framework and such tests were successful, also, I had open a ticket detailing all the test steps.

Basically Sophos EAP AMSI features and its addon base policies didn't detect the attacks, on the other hand, another try with the same method in a computer running with Windows Defender as endpoint and the process was detected and blocked successfully. All the policies related to the AMSI and Shellcode was enabled during the performed tests.

The case opened was: #9418224

How this is an important case, since the customer was passing by a security test made by a security service provider at the moment, I need urgently to resolve this issue about the exploit in order to keep Sophos as the protection brand on the customer. The attack surface is also described in the case above.

Thanks in advance. 

Hi Pedro,

Thank you for sharing this info. I have been informed of this case, and have given advise to the team on how to proceed.

It looks like we'll need to collect more information, as the SDU logs provided don't contain any information on the root cause.

We think it is a very important case indeed for several reasons, so rest assured we keep following it up. Support be in touch with you shortly for further steps on collecting more information.

Vince

Ok, thanks Vince, I'll do the next tests do see what's coming next. I'll keep you informed.

Vince, sorry for the delay, however, the improvements made by the dev team were proven to work now.

With the good news, customer demanded that AMSI EAP had to be deployed to all desktops and computers in the network, however, a few computers presented BSOD after EAP modules were installed, specifically after the reboot.

I have three Windows 10 PCs so far that presented this issue. Customer reported that more than these PCs have this same issue. So, looking in the Sophos Central Device's events, none OS files appear to be quarantined or deleted after the update. Is there any Windows OS requirement to install New Endpoint Protection Features (EAP)?

Hi Pedro, 

There are no specific Windows 10 system requirements, just make sure your version is on the list here. 

Am I correct in stating that the issues only arise for machines that are in the EAP?

Vince

Hi Pedro, 

There are no specific Windows 10 system requirements, just make sure your version is on the list here. 

Am I correct in stating that the issues only arise for machines that are in the EAP?

Vince

Vincent, thanks for the information regarding the retirement calendar for the OSs.

Yes, is right to inform in this case that only Windows with EAP modules installed presented issues like BSOD during boot process. Just guessing, but maybe it has to do with application hashes through the process of boot or within the use of detoured?