3CX DLL-Sideloading attack: What you need to know
There is one client that does nothing else than reporting WipeGuard preventions.
Even for Sophos Processes. What's the use of that feature and log?
Initial Detection: WIN-MITRE-Behavioral-TA0040-T1561.002
Hi LHerzog,
Thanks for reaching out.
If the hotfix package has already been tried on the device, I suggest opening a support case with our team, as it looks like this may require development to get involved.
I suggest providing an SDU log as well as a copy of the folder "C:\Windows\CryptoGuard\reverted_xxx".
Thank you Qoosh I will install that HF on the machine.
Unfortunately that EP is still having the issue.
the latest files in the wipeguard dir are a year old.
C:\Windows\CryptoGuard
....
05.07.2021 09:33 310 43F9D76E05.07.2021 09:33 310 05DA4EA810.09.2021 08:11 1.556.480 827ACE8E10.09.2021 08:11 1.982.464 DF3AEE0E
Thanks for following up.
Could you try the following steps to generate a dump file when the detection occurs?
Enable Process Dump via Command Prompt
setx /m HMPA_DUMP_PROCESS_ON_ALERT "1"
services.msc
%temp%
iexplore.exe_2164_20190215_175424.480(Utc+-480mins).dmp
If this process still does not generate a dump file, we can also try using Procdump.
procdump..exe -ma -i
we've opened a new case 05930328 for this and installed the latest hotfix from that page:
Current Hotfix Version: 3.9.1.1041Current Hotfix Release Date: 10 November 2022
Since installation yesterday no new wipe guard false positives but it is too early to say it's fixed.
there was one new incident with that false positive since installing Hotfix. Frequency has greatly decreased.
As suggested by Qoosh above now Support asked us to set System variable HMPA_DUMP_PROCESS_ON_ALERT to 1
HMPA_DUMP_PROCESS_ON_ALERT to 1
and wait for the next Wipe Guard Precention to happen.
No more wipe guard detections after that single incident that happened after the hotfix install. We think the issue has been generally solved by the hotfix: support.sophos.com/.../KB-000038477