How to reduce Stack Exec detections

Hi Daina,

I suggest checking if the thumbprint (or 'Detection ID') is the same. You can find this in the Windows Event Viewer > Application Event logs. Try filtering by Event ID 911. This will return all of the Intercept X detection events. 

Near the bottom of the details on each of these events, you will see something like this:

     Thumbprint
     e8af5f63e87c0cff320a14bcd22ee467cb7531ec8eb31e7dd95a300b1207c4da

This is a way of recording the specific operations that occurred when the detection was raised. If the alphanumeric value shown is the same each time, we can add one exclusion to white-list that specific behaviour. The following article describes in further detail the options for exclusion from Sophos Central. 
- Stop detecting an exploit

Hi Qoosh,

Unfortunately the thumbprint are different on each of the devices. The process trace are the same but the loaded modules changes. We do not want to stop checking for this detection. So turning off the exploit mitigation for stack exec is not an option. 

If the thumbprint is specific to each device, adding the exclusion for each device may be an option, but it sounds like this is changing every time. 

I'd suggest trying the hotfix package for Intercept X to see if this has any improvements. 
- Exploit Prevention cumulative hotfix

Turning off stack exec for Office 2016 may be the only option, but I'd suggest opening a case with our support team to see if anything further can be done to mitigate this.

Hi Daina.

I hope you found a "fix" for this.

I experience the same issue with a client using Excel. We've tried a global exclusion in Central not to look for StackExec, but after working with Sophos Support back in January, now we create an exception for the thumbprint and often the thumbprint is the same across machines, but not always. 

The issue comes up every few months. Office apps updated, changing the thumbprint. Currently running Microsoft 365 apps for business 16.0.16327.20248, released April 21, 2023 running on Windows 10.

Event Log

Log Name: Application
Source: HitmanPro.Alert
Date: 5/16/2023 2:02:05 PM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: BBG-TC-AIO3.xxxxxxx.local
Description:
Mitigation StackExec V2
Policy StackExec
Timestamp 2023-05-16T20:02:05

Platform 10.0.19045/x64 v1237 06_a7*
PID 16640
WoW x86
Enabled 007D2E3004000004
Application C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Created 2023-05-12T21:34:10
Modified 2023-05-12T21:34:11
Description Microsoft Excel 16

<---cut out some of the chaff--->

Thumbprint
a589118907bd6498fc566cb900d37486e1edd3fee20000dc67878d6bef87c140</Data>
</EventData>
</Event>

I have an exclusion for a589118907bd6498fc566cb900d37486e1edd3fee20000dc67878d6bef87c140. I compared the strings and they are identical (paste them both into Notepad++ and highlight one).

Sophos Endpoint ignores the global exclusion.

I applied the "hotfix" which has been a "hotfix" for at least the first half of this year but the hotfix hasn't fixed this permanently.

I tried to create a global exclusion for StackExec but I noted the below error where it appears this won't apply for Excel.

This is a false detection, and I would love it if Sophos would give us a permanent fix instead of a customer complaining again and us going and excluding it again, each time there is an update to office. It pretty much shuts a particular customer down each time this happens.

They are unhappy and don't want Sophos for their endpoint defense product any longer.

We don't have a solution and still struggle with this. Sophos's solution is to exclude based on the thumbprint but this is not a permanent fix. It's a sometimes fix.

This is not fun at all. I don't like dealing with frustrated customers because the vendor is too heavy handed with security. They aim their frustration at me. I really get how important security is, but we need a way to "FIX" this instead of struggling or disabling functionality in Sophos Endpoint which opens the customer up for real threats.

I've already burned a lot of time with Sophos Support on this and I'm not the only one here, we have over 20 techs here at this MSP and multiple techs and engineers have fought with this. Guess I need to throw more money on the fire. Or disable ransomware protection so the customer's employees can work.

 Qoosh I hope you have some ideas!

Hi David,

Apologies for the frustration. I want to work with you to get your feedback to the correct folks here at Sophos so we can look at making some improvements. 

I will follow up with you via PM.