C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe /service - this service has an unquoted path.
Please fix it ASAP.
This thread was automatically locked due to age.
The HMPA component's installer was recently updated. I can only think this was introduced at that point as it wasn't always an issue as QC mentions. The EDR product even has a query for this named "Unquoted paths in the service registry keys":
Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)
Created by Sophos
SELECT
r.path,
r.data
FROM registry r
WHERE
r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
-- Check for data that looks like a path, does not start with a quote and contains a space
-- Note: If the data has a parameter with a . in it will be incorrectly matched
AND r.data like '%:\%'
AND r.data not like '"%'
AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'
I assume it will be fixed at the first opportunity.
I see the hottfix installer was released today - Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix
This quotes the ImagePath under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalertsvc
I see the hottfix installer was released today - Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix
This quotes the ImagePath under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalertsvc