3CX DLL-Sideloading attack: What you need to know
I've whitelisted PSEXEC and I've disabled all the modules for Sophos Endpoint but PSEXEC is still being removed as its recognised as a PUA. I've created a policy to whitelist this app on Central but nothing is applying.
Anyone know how to get around this?
Hi jt86,
Could you share a screenshot of the detection that was raised in Sophos Central, as well as the type of exclusion you've created to white-list this?
In some cases, rebooting your device after a detection has been raised may help. I'd suggest trying this, then disabling the scanning components to retry the download.
Could that be download reputation sending the file for scanning?
If you open up Endpoint Self Help - Enable Debug logging for IOfficeAV:
Relaunch the browser and reproduce the problem. Then check:
C:\ProgramData\Sophos\Endpoint Defense\Logs\Low\iofficeav.log
What do you see in there?
Here is what it see. It doesn't even have to be at download, it could be sitting there in a folder and it will be removed by Sophos. Here it says manual cleanup required but the file isn't there.
I also cannot download it again even with all of sophos disabled on that endpoint.
It says that a scheduled scan completed, that might explain the detections in the list view you are showing.
The value of TaskInfo under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan
will detail the config of the scan if it exists. You can also check
C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log