Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 12 subscribers
  • Views 4613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WipeGuard exploit prevented in Sophos Endpoint Defense Software

LHerzog

There is one client that does nothing else than reporting WipeGuard preventions.

Even for Sophos Processes. What's the use of that feature and log?

Initial Detection: WIN-MITRE-Behavioral-TA0040-T1561.002



This thread was automatically locked due to age.
  • 0

    Hi LHerzog,

    Thanks for reaching out.

    If the hotfix package has already been tried on the device, I suggest opening a support case with our team, as it looks like this may require development to get involved. 

    I suggest providing an SDU log as well as a copy of the folder "C:\Windows\CryptoGuard\reverted_xxx".

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Thank you I will install that HF on the machine.

  • 0 in reply to LHerzog

    Unfortunately that EP is still having the issue.

    the latest files in the wipeguard dir are a year old.

    C:\Windows\CryptoGuard

    ....

    05.07.2021  09:33               310 43F9D76E
    05.07.2021  09:33               310 05DA4EA8
    10.09.2021  08:11         1.556.480 827ACE8E
    10.09.2021  08:11         1.982.464 DF3AEE0E

    Will file a support case
    2022-09-21T07:54:20.325Z [ 4924: 6740] A Process with path C:\Program Files\Sophos\Endpoint Defense\SEDService.exe detected as WipeGuard (Technical support reference: 7f487b434cb6f8a3e8ce3e087f48388924886337277127c8929c0c738b482a8d)
    2022-09-21T08:01:48.090Z [ 4924: 5792] W FileWrite interaction limit reached for 1812:133082131689350775 (count=200)
    2022-09-21T08:01:48.145Z [ 4924: 5792] A RCA was unable to find a root cause for beacon sedservice.exe.
    2022-09-21T08:02:20.181Z [ 4924: 5788] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1716d0f410a02000.tgz successfully uploaded
    .
    2022-09-27T09:44:24.071Z [ 5132: 6664] A Process with path C:\Windows\System32\lsass.exe detected as WipeGuard (Technical support reference: cfe07edaf30b76cc819e786367e69b9fa8b08cd81d3a734cad19892fa5293b6a)
    2022-09-27T09:51:51.787Z [ 5132: 6152] W FileRead interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.791Z [ 5132: 6152] W RegKeySetValue interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.837Z [ 5132: 6152] A RCA was unable to find a root cause for beacon lsass.exe.
    2022-09-27T09:52:10.723Z [ 5132: 5600] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1718ae7148674a98.tgz successfully uploaded
  • 0 in reply to LHerzog

    Thanks for following up.

    Could you try the following steps to generate a dump file when the detection occurs?

    Enable Process Dump via Command Prompt

    • Open a Command Prompt with admin privilege.
    • Run the command setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"
    • Open Services (services.msc) and restart the HitmanPro.Alert service.
    • Reproduce the detection
      • The dump will be saved to %temp% and will contain the name of the process/timestamps (e.g.: iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp

    If this process still does not generate a dump file, we can also try using Procdump

    • procdump..exe -ma -i
    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    we've opened a new case 05930328 for this and installed the latest hotfix from that page:

    Current Hotfix Version: 3.9.1.1041
    Current Hotfix Release Date: 10 November 2022

    Since installation yesterday no new wipe guard false positives but it is too early to say it's fixed.

  • 0 in reply to LHerzog

    there was one new incident with that false positive since installing Hotfix. Frequency has greatly decreased.

    As suggested by   above now Support asked us to set System variable HMPA_DUMP_PROCESS_ON_ALERT to 1

    and wait for the next Wipe Guard Precention to happen.

  • +1 in reply to LHerzog

    No more wipe guard detections after that single incident that happened after the hotfix install. We think the issue has been generally solved by the hotfix: support.sophos.com/.../KB-000038477

Unfiltered HTML