July 5th, 2018.
Beginning June 18th, 2018 - Sophos Central started detecting this CredGuard false positive for RedCloak on many of our Windows10 hosts [C:\Program Files (x86)\Dell SecureWorks\Red Cloak\inspector64.exe]
- Please let us know when Sophos Support has a solution for this over-active "Cred Guard" protection process for the Red Cloak process(es) from Dell Secure Works. We will perform any additional steps necessary - In the meantime, we are waiting for Sophos Support to tune and/or apply a hotfix on the Sophos Central Cloud Platform.
We have already performed the following (exclusions) from Sophos Endpoint Global Scanning: 1. Event, 2. Process and 3. File\Folder - C:\Program Files (x86)\Dell SecureWorks\Red Cloak\inspector64.exe
Example of Sophos High Alert - See below
------------------------------------------------------------------------------------------------------
From: do-not-reply@central.sophos.com <do-not-reply@central.sophos.com>
Sent: Wednesday, July 4, 2018 11:13 PM
To: Phillip Krause
Subject: [HIGH] Alert for Sophos Central: We prevented credential theft
Sophos Central Event Details for <Company Name>
What happened: We prevented credential theft in Dell SecureWorks Red Cloak
Where it happened: 092LTP075
Path: C:\Program Files (x86)\Dell SecureWorks\Red Cloak\inspector64.exe
What was detected: CredGuard
User associated with device: <domain>\<username> How severe it is: High
What Sophos has done so far: We prevented the credential theft and ran a scan to clean up the computer.
What you need to do: Investigate the cause of the alert. When you are sure the system is clean, acknowledge the alert.
Help sources:
Sophos Central specific articles: http://sophos.com/support/knowledgebase/b/9000.aspx.
Sophos Central Frequently Asked Questions (FAQ) - http://www.sophos.com/support/knowledgebase/119598.aspx.
This thread was automatically locked due to age.
