This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application with "conf.json" blocked without events

Hi,

I have a Application with unc path "\\server-01\test$\xyz.exe".

The shortcut of the application is in the same folder with "conf.json" in it.

Sophos Central blocked this program without any events!

Can anybody help ?

best regards,

Thomas



This thread was automatically locked due to age.
Parents
  • If I understand you correctly, you have at least 3 files in the hidden "test" share, i.e.

    1. "\\server-01\test$\xyz.exe"
    2. "\\server-01\test$\xyz.lnk"
    3. "\\server-01\test$\conf.json"

    You are running the shortcut file from the remote computer to launch the application?

    If you run Process Monitor on the client when launching the application, what happens?  Can you share this PML?  Please include all events if you do. 

    I'd be interested to know if the process is created by presumably Explorer.exe, does it load all the modules of the process?  Does the process exit with an exit code that possibly reveals what is happening?

    Thanks.

Reply
  • If I understand you correctly, you have at least 3 files in the hidden "test" share, i.e.

    1. "\\server-01\test$\xyz.exe"
    2. "\\server-01\test$\xyz.lnk"
    3. "\\server-01\test$\conf.json"

    You are running the shortcut file from the remote computer to launch the application?

    If you run Process Monitor on the client when launching the application, what happens?  Can you share this PML?  Please include all events if you do. 

    I'd be interested to know if the process is created by presumably Explorer.exe, does it load all the modules of the process?  Does the process exit with an exit code that possibly reveals what is happening?

    Thanks.

Children
  • I run on the local computer following shortcut (with the correct names/server):

    "\\ww2mws-02\celano$\bdeww2_celCAP4.0\bin\celElectronApp-win32-x64\celElectronApp.exe"

    In the folder on the local Computer is only the shortcut and the "conf.json" in it.

    The PML with all events "Logfile.zip":

    https://cloud.lech-stahlwerke.de/index.php/s/KdJjKTSRmsFaEdJ

    Best regards,

    Thomas

  • It is a "Electron" based Application (Electron 11.3.0 - https://www.electronjs.org/)

    I hope this helps.

    Best regards,

    Thomas

  • Well as expected we see Explorer.exe launching the process:

    None of the processes launched exit, so there is no exit code to go on.

    I would suggest, the best thing might be to rule out features for the remote files.  For example:

    1. Create a new Threat Protection policy and link it to the test computer.

    2. In the new Threat Protection policy change the following 2 options under Advanced settings:

    and 

    Once the policy is received, it will ask to reboot due to the first option.

    Evidence of the policy be applied at the client will be the "HitmanPro.Alert service" service will be set to manual start up rather than auto.

    Does it work then with these 3 options changed and the computer rebooted?

    ---

    If so, re-enable the Top option, to enable ransomware and exploit protection, again it will ask for a reboot.  After the reboot, you can check that the "HitmanPro.Alert service" service is running again and auto startup.


    Does it still work?
    If, yes, re-enable scanning of remote files.

    Does it still work?
    If, yes, re-check "Generate file hashes remotely for event logging"

    Presumably it breaks again, if so, this is the option of interest.

    If, none of the above help, disable the additional option:

    Does it work then?

  • I disabled only "Generate file hashes remotely for event logging" - it works!

    Is this the solution ?

    Thank you!

  • We can probably refine it.  So you can re-enable the other options and enable "Generate file hashes remotely for event logging" again, so it "breaks".  

    Then in exclusions, could be global or on a threat protection policy basis, add a new exclusion of type "Hashing exclusions (Windows)"



    Now, I'm not sure which file being hashed is the issue so you might need to experiment, you could try a file/folder for:

    \\ww2mws-02\celano$\bdeww2_celCAP4.0\bin\celElectronApp-win32-x64\celElectronApp.exe

    If that fails maybe a file/folder for:
    \\ww2mws-02\celano$\bdeww2_celCAP4.0\bin\celElectronApp-win32-x64\
    or
    \\ww2mws-02\celano$\bdeww2_celCAP4.0\

    Maybe a process for:
    \\ww2mws-02\celano$\bdeww2_celCAP4.0\bin\celElectronApp-win32-x64\celElectronApp.exe

    In either case, hopefully one of these will work.  They end up at the endpoint in the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Config

    JournalExcludeHashingFilePaths
    or
    JournalExcludeHashingProcessFilePaths

    When you excluded all remote files from being hashed by the journaling feature, it would have set:
    JournalExcludeHashingRemoteFiles to 1 but you shouldn't need to stop hashing all remote files.

    Note: This isn't for scanning purposes, this is all about journaling data, specially recoding hashes of files for the journal data.

  • Hashing exclusion "\\ww2mws-02\celano$\bdeww2_celCAP4.0\bin\celElectronApp-win32-x64\celElectronApp.exe"

    solves the problem - I re-enabled "Generate file hashes remotely for event logging".

    Thank you.

  • Ah, good, was it a process or file/folder out of interest?

    In any case I believe this is as specific as you can get. The file is still being scanned with this type of exclusion in place.

  • It was a file/folder.

    Thanks for your help.