This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WipeGuard exploit prevented in Sophos Endpoint Defense Software

LHerzog over 1 year ago

There is one client that does nothing else than reporting WipeGuard preventions.

Even for Sophos Processes. What's the use of that feature and log?

Initial Detection: WIN-MITRE-Behavioral-TA0040-T1561.002

This thread was automatically locked due to age.

Top Replies

LHerzog over 1 year ago in reply to LHerzog +2 verified

No more wipe guard detections after that single incident that happened after the hotfix install. We think the issue has been generally solved by the hotfix: support.sophos.com/.../KB-000038477

Parents

0 Qoosh over 1 year ago

Hi LHerzog,

Thanks for reaching out.

If the hotfix package has already been tried on the device, I suggest opening a support case with our team, as it looks like this may require development to get involved.

I suggest providing an SDU log as well as a copy of the folder "C:\Windows\CryptoGuard\reverted_xxx".

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to Qoosh

Thank you Qoosh I will install that HF on the machine.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to LHerzog

Unfortunately that EP is still having the issue.

the latest files in the wipeguard dir are a year old.

C:\Windows\CryptoGuard

....

05.07.2021 09:33               310 43F9D76E
05.07.2021 09:33               310 05DA4EA8
10.09.2021 08:11         1.556.480 827ACE8E
10.09.2021 08:11         1.982.464 DF3AEE0E

Will file a support case

2022-09-21T07:54:20.325Z [ 4924: 6740] A Process with path C:\Program Files\Sophos\Endpoint Defense\SEDService.exe detected as WipeGuard (Technical support reference: 7f487b434cb6f8a3e8ce3e087f48388924886337277127c8929c0c738b482a8d)
2022-09-21T08:01:48.090Z [ 4924: 5792] W FileWrite interaction limit reached for 1812:133082131689350775 (count=200)
2022-09-21T08:01:48.145Z [ 4924: 5792] A RCA was unable to find a root cause for beacon sedservice.exe.
2022-09-21T08:02:20.181Z [ 4924: 5788] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1716d0f410a02000.tgz successfully uploaded

.

2022-09-27T09:44:24.071Z [ 5132: 6664] A Process with path C:\Windows\System32\lsass.exe detected as WipeGuard (Technical support reference: cfe07edaf30b76cc819e786367e69b9fa8b08cd81d3a734cad19892fa5293b6a)
2022-09-27T09:51:51.787Z [ 5132: 6152] W FileRead interaction limit reached for 896:133087352782986908 (count=200)
2022-09-27T09:51:51.791Z [ 5132: 6152] W RegKeySetValue interaction limit reached for 896:133087352782986908 (count=200)
2022-09-27T09:51:51.837Z [ 5132: 6152] A RCA was unable to find a root cause for beacon lsass.exe.
2022-09-27T09:52:10.723Z [ 5132: 5600] A RCA 974d4bcf-007c-8433-1863-2d6ffa754bc8_1718ae7148674a98.tgz successfully uploaded
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh over 1 year ago in reply to LHerzog
Thanks for following up.

Could you try the following steps to generate a dump file when the detection occurs?

Enable Process Dump via Command Prompt

Open a Command Prompt with admin privilege.

Run the command setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"

Open Services (services.msc) and restart the HitmanPro.Alert service.

Reproduce the detection

The dump will be saved to %temp% and will contain the name of the process/timestamps (e.g.: iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp

If this process still does not generate a dump file, we can also try using Procdump.

procdump..exe -ma -i
Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Qoosh over 1 year ago in reply to LHerzog
Thanks for following up.

Could you try the following steps to generate a dump file when the detection occurs?

Enable Process Dump via Command Prompt

Open a Command Prompt with admin privilege.

Run the command setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"

Open Services (services.msc) and restart the HitmanPro.Alert service.

Reproduce the detection

The dump will be saved to %temp% and will contain the name of the process/timestamps (e.g.: iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp

If this process still does not generate a dump file, we can also try using Procdump.

procdump..exe -ma -i
Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LHerzog over 1 year ago in reply to Qoosh

we've opened a new case 05930328 for this and installed the latest hotfix from that page:

Current Hotfix Version: 3.9.1.1041
Current Hotfix Release Date: 10 November 2022

Since installation yesterday no new wipe guard false positives but it is too early to say it's fixed.
Cancel
Vote Up +1 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to LHerzog

there was one new incident with that false positive since installing Hotfix. Frequency has greatly decreased.

As suggested by Qoosh above now Support asked us to set System variable HMPA_DUMP_PROCESS_ON_ALERT to 1

and wait for the next Wipe Guard Precention to happen.
Cancel
Vote Up +1 Vote Down

Cancel
+1 LHerzog over 1 year ago in reply to LHerzog

No more wipe guard detections after that single incident that happened after the hotfix install. We think the issue has been generally solved by the hotfix: support.sophos.com/.../KB-000038477
Cancel
Vote Up +2 Vote Down

Cancel