Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 14 subscribers
  • Views 2752 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sedtelemetry.exe PrivGuard Threat

ShakaZ

I am new to Sophos.  please help me understand and remediate this PrivGuard threat.  A number of our machines are reporting the following:  I've searched the community and found nothing.

Process details : sedtelemetry.exe
Path: c:\program files\sophos\endpoint defense\sedtelemetry.exe
Name: sedtelemetry.exe
Command line: SEDTelemetry.exe
Process ID: 2776
Process executed by: NT AUTHORITY\SYSTEM
SHA256: c12634a26e999a1db3197254399f7196381560c0548ca1d77bf2ed84553d9307
Start time: Jun 23, 2021 12:55 PM
End time: Jun 23, 2021 12:55 PM
Duration: 1s 723ms
Actions done to this artifact:
None
Actions performed by this artifact:
12 File reads
thanks in advance for the help!


This thread was automatically locked due to age.
  • 0

    Well AutoUpdate runs a telemetry task at the end of an update if it hasn't run for a while based off the LastTelemetryTime value under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Telemetry

    The log of AutoUpdate for example looks like this when it is due to run it:

    2021-07-14T21:29:07.005Z [ 9236:11604] [v6.9.359] INFO Telemetry Interval set to 86400 seconds
    2021-07-14T21:29:07.007Z [ 9236:11604] [v6.9.359] INFO Telemetry Interval updated to 86400 seconds
    2021-07-14T21:29:07.008Z [ 9236:11604] [v6.9.359] INFO Telemetry last ran at 2021-07-12 08:59:21, Offset 6554, Offset Time 2021-07-12 10:48:35
    2021-07-14T21:29:07.009Z [ 9236:11604] [v6.9.359] INFO Telemetry schedule has elapsed.
    2021-07-14T21:29:07.009Z [ 9236:11604] [v6.9.359] INFO Gathering Telemetry

    This process involve SophosUpdate.exe calling:

    "C:\Program Files (x86)\Sophos\AutoUpdate\Telemetry\GatherTelem.exe"

    This exe calls all the component's telem executables as listed under the registry key

    hklm\software\wow6432node\sophos\telemetry\plugins\

    for example SEDTelemetry.exe is one of them for the SED component.  This gathers some info in JSON format about that component.

    If you open a admin command prompt and run the exe it prints to screen the data gathered that will be merged into the final telemetry data.

    Do you get the same alert when manually running SEDTelemetry.exe?  

    You could run:

    SEDTelemetry > out.json 

    to take a look at the data.

    Thanks.

  • 0 in reply to Sophos User930

    thanks!  I will give that a try.

Unfiltered HTML