This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malicious Behaviour (PrivGuard) detected

Hello,

i use gsudo.exe with Windows Terminal to start CMD or Powershell with administrative rights but since i use Sophos Endpoint it shuts down the Terminal app every time the gsudo process opens a new tab.

The Error message is "Malicious Behaviour (PrivGuard) detected.

How can i whitelist the gsudo app?

I guess because of this the computer is shown red in the Central console?



This thread was automatically locked due to age.
Parents
  • If you look in Central, do you have an alert for the event? From the Event you should be able to add an exemption based on the detection ID which will go into the global exclusions.


    In the exclusions it ends up as a "Detected Exploit" exclusion:

    In the Application Event log there will be a 911 Event ID.  The bottom of that should have a Thubmprint. e.g:

    Thumbprint
    c2dfa214190540ad8df871d12c0d81219bae52fa8fbe16586791f7a26b9d3045

    So in Central you exclude this thumbprint and it ends up in the registry on the client in the "WhiteThumbprints" value under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\

    With the exclusion in place, from a PS prompt, if I run again the following to trigger an alert:

    gsudo -s

    The the detection doesn't happen because for this detection, the thumbprint doesn't change and it's now excluded.

    I assume if you check your Application Event log you can see more than 1 event id for it, in each event, the thumbprint is the same?  If so, this suggests excluding by ID/Thumbprint will work as it does for me,

Reply
  • If you look in Central, do you have an alert for the event? From the Event you should be able to add an exemption based on the detection ID which will go into the global exclusions.


    In the exclusions it ends up as a "Detected Exploit" exclusion:

    In the Application Event log there will be a 911 Event ID.  The bottom of that should have a Thubmprint. e.g:

    Thumbprint
    c2dfa214190540ad8df871d12c0d81219bae52fa8fbe16586791f7a26b9d3045

    So in Central you exclude this thumbprint and it ends up in the registry on the client in the "WhiteThumbprints" value under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\

    With the exclusion in place, from a PS prompt, if I run again the following to trigger an alert:

    gsudo -s

    The the detection doesn't happen because for this detection, the thumbprint doesn't change and it's now excluded.

    I assume if you check your Application Event log you can see more than 1 event id for it, in each event, the thumbprint is the same?  If so, this suggests excluding by ID/Thumbprint will work as it does for me,

Children
  • Good Morning,

    there is no Event or Alert for this in Central. The console on the client shows it and there is something about it in the Endpoint Dashboard.

    But i can't set an exclusion from there

  • If you go into global exclusions. Then under detected exploits as a type, you should be able to find the detection to exclude it. Not sure what order they are.

    Otherwise. Try making the alert again, then check under the events of the device in Central. There should be a detection. I think there is a hyperlink at the end of the alert which brings up the details and you can exempt it via that workflow.

  • Unbfortunately nothing to see under Global Exclusions.

    In the Device Events are several listings about PUAs (Sysinternal and Nirsoft Apps) But nothing about PrivGuard. I did the alert several times again but they are not shown in the list.

    I see the red alarm just on the client and the Status of the Client in Central is red. In the moment it says:

  • Try checking on the device page specifically, you will see the "Details" button on the right-hand side as shown below.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Sorry, no Details Neutral face

    How long does i take to sync local events to Central? I just see events in Central until yesterday noon. 

    How long does i take to sync a change in a policy to the client?

    How can i check if a change in a policy has reached the client?

    Trial and error is a bit of a pain in the ... right now when i don't know how long i have to wait until any change will have an effect on the client and by now i cannot see it on the client if the policy has synced.

  • I have reached out to you via PM to assist further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Good Morning,

    could anyone say something about these questions?

    How long does i take to sync local events to Central? I just see events in Central until yesterday noon. 

    How long does i take to sync a change in a policy to the client?

    How can i check if a change in a policy has reached the client?

    My Eventlog in Central wasn't updated at all yesterday. I see Events from yesterday since today morning but again nothing from today.

    I could do an Exclusion based on the events from yesterday, but the exclusion doesn't work yet. Did some policy changes yesterday and they didn't worked yesterday at all. I checked on Policy change today morning and this change has actually reached my client.

    Is it really true that one have to wait a complete day for Client/Central to synchronize Events, Exclusions and Policies? Or is a reboot necessary?

  • Assuming Central is fully functional, events from client to central should be immediate, well at least within 30 seconds.

    Policy changes to the client should be picked up in less than 1 minute.

    You can check policy under Endpoint Self Help, the Policy page, this looks through the MCS logs for policy.  Otherwise, under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy

    When you change the threat protection policy for example: Under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection

    a new key will be created, and the value of "latest" will point at that key.  The old key with the old settings gets removed in about 1 minute.