WipeGuard exploit prevented in Sophos Endpoint Defense Software

There is one client that does nothing else than reporting WipeGuard preventions.

Even for Sophos Processes. What's the use of that feature and log?

Initial Detection: WIN-MITRE-Behavioral-TA0040-T1561.002

Parents Reply Children
  • Thank you I will install that HF on the machine.

  • Unfortunately that EP is still having the issue.

    the latest files in the wipeguard dir are a year old.

    C:\Windows\CryptoGuard

    ....

    05.07.2021  09:33               310 43F9D76E
    05.07.2021  09:33               310 05DA4EA8
    10.09.2021  08:11         1.556.480 827ACE8E
    10.09.2021  08:11         1.982.464 DF3AEE0E

    Will file a support case
    2022-09-21T07:54:20.325Z [ 4924: 6740] A Process with path C:\Program Files\Sophos\Endpoint Defense\SEDService.exe detected as WipeGuard (Technical support reference: 7f487b434cb6f8a3e8ce3e087f48388924886337277127c8929c0c738b482a8d)
    2022-09-21T08:01:48.090Z [ 4924: 5792] W FileWrite interaction limit reached for 1812:133082131689350775 (count=200)
    2022-09-21T08:01:48.145Z [ 4924: 5792] A RCA was unable to find a root cause for beacon sedservice.exe.
    2022-09-21T08:02:20.181Z [ 4924: 5788] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1716d0f410a02000.tgz successfully uploaded
    .
    2022-09-27T09:44:24.071Z [ 5132: 6664] A Process with path C:\Windows\System32\lsass.exe detected as WipeGuard (Technical support reference: cfe07edaf30b76cc819e786367e69b9fa8b08cd81d3a734cad19892fa5293b6a)
    2022-09-27T09:51:51.787Z [ 5132: 6152] W FileRead interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.791Z [ 5132: 6152] W RegKeySetValue interaction limit reached for 896:133087352782986908 (count=200)
    2022-09-27T09:51:51.837Z [ 5132: 6152] A RCA was unable to find a root cause for beacon lsass.exe.
    2022-09-27T09:52:10.723Z [ 5132: 5600] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1718ae7148674a98.tgz successfully uploaded
  • Thanks for following up.

    Could you try the following steps to generate a dump file when the detection occurs?

    Enable Process Dump via Command Prompt

    • Open a Command Prompt with admin privilege.
    • Run the command setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"
    • Open Services (services.msc) and restart the HitmanPro.Alert service.
    • Reproduce the detection
      • The dump will be saved to %temp% and will contain the name of the process/timestamps (e.g.: iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp

    If this process still does not generate a dump file, we can also try using Procdump

    • procdump..exe -ma -i
    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids