This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WipeGuard exploit prevented in Sophos Endpoint Defense Software

There is one client that does nothing else than reporting WipeGuard preventions.

Even for Sophos Processes. What's the use of that feature and log?

Initial Detection: WIN-MITRE-Behavioral-TA0040-T1561.002



This thread was automatically locked due to age.
  • Hi LHerzog,

    Thanks for reaching out.

    If the hotfix package has already been tried on the device, I suggest opening a support case with our team, as it looks like this may require development to get involved. 

    I suggest providing an SDU log as well as a copy of the folder "C:\Windows\CryptoGuard\reverted_xxx".

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you I will install that HF on the machine.

  • Unfortunately that EP is still having the issue.

    the latest files in the wipeguard dir are a year old.

    C:\Windows\CryptoGuard

    ....

    05.07.2021  09:33               310 43F9D76E
    05.07.2021  09:33               310 05DA4EA8
    10.09.2021  08:11         1.556.480 827ACE8E
    10.09.2021  08:11         1.982.464 DF3AEE0E

    Will file a support case
    2022-09-21T07:54:20.325Z [ 4924: 6740] A Process with path C:\Program Files\Sophos\Endpoint Defense\SEDService.exe detected as WipeGuard (Technical support reference: 7f487b434cb6f8a3e8ce3e087f48388924886337277127c8929c0c738b482a8d)
    2022-09-21T08:01:48.090Z [ 4924: 5792] W FileWrite interaction limit reached for 1812:133082131689350775 (count=200)
    2022-09-21T08:01:48.145Z [ 4924: 5792] A RCA was unable to find a root cause for beacon sedservice.exe.
    2022-09-21T08:02:20.181Z [ 4924: 5788] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1716d0f410a02000.tgz successfully uploaded
    .
    2022-09-27T09:44:24.071Z [ 5132: 6664] A Process with path C:\Windows\System32\lsass.exe detected as WipeGuard (Technical support reference: cfe07edaf30b76cc819e786367e69b9fa8b08cd81d3a734cad19892fa5293b6a)
    2022-09-27T09:51:51.787Z [ 5132: 6152] W FileRead interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.791Z [ 5132: 6152] W RegKeySetValue interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.837Z [ 5132: 6152] A RCA was unable to find a root cause for beacon lsass.exe.
    2022-09-27T09:52:10.723Z [ 5132: 5600] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1718ae7148674a98.tgz successfully uploaded
  • Thanks for following up.

    Could you try the following steps to generate a dump file when the detection occurs?

    Enable Process Dump via Command Prompt

    • Open a Command Prompt with admin privilege.
    • Run the command setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"
    • Open Services (services.msc) and restart the HitmanPro.Alert service.
    • Reproduce the detection
      • The dump will be saved to %temp% and will contain the name of the process/timestamps (e.g.: iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp

    If this process still does not generate a dump file, we can also try using Procdump

    • procdump..exe -ma -i
    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • we've opened a new case 05930328 for this and installed the latest hotfix from that page:

    Current Hotfix Version: 3.9.1.1041
    Current Hotfix Release Date: 10 November 2022

    Since installation yesterday no new wipe guard false positives but it is too early to say it's fixed.

  • there was one new incident with that false positive since installing Hotfix. Frequency has greatly decreased.

    As suggested by   above now Support asked us to set System variable HMPA_DUMP_PROCESS_ON_ALERT to 1

    and wait for the next Wipe Guard Precention to happen.

  • No more wipe guard detections after that single incident that happened after the hotfix install. We think the issue has been generally solved by the hotfix: support.sophos.com/.../KB-000038477