This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to reduce Stack Exec detections

Recently we noticed that we are receiving over five detections on a given day for Stack Exec. The threat graph for all detections are identical with the root cause been Microsoft Office 2016. The reputation for Microsoft Office is good and the file is legitimate. We are using Starquery so the detections are triggering on the sqlengine.dll, symtraxas400provider.dll among other .dll files based on the 'uncertain reputation'. These files are legacy based on the fact that the application was written along time ago for certain criteria which as not changed over the years  

In investigating these alerts the only option given is block and clean. That option cannot be use as the application is needed. Can an exclusion be created for this specific starquey detection? How can this detection be reduce?

Are others receiving this detection and how do you address it?



This thread was automatically locked due to age.
Parents
  • Hi Daina,

    I suggest checking if the thumbprint (or 'Detection ID') is the same. You can find this in the Windows Event Viewer > Application Event logs. Try filtering by Event ID 911. This will return all of the Intercept X detection events. 

    Near the bottom of the details on each of these events, you will see something like this:

         Thumbprint
         e8af5f63e87c0cff320a14bcd22ee467cb7531ec8eb31e7dd95a300b1207c4da

    This is a way of recording the specific operations that occurred when the detection was raised. If the alphanumeric value shown is the same each time, we can add one exclusion to white-list that specific behaviour. The following article describes in further detail the options for exclusion from Sophos Central. 
    - Stop detecting an exploit

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Daina,

    I suggest checking if the thumbprint (or 'Detection ID') is the same. You can find this in the Windows Event Viewer > Application Event logs. Try filtering by Event ID 911. This will return all of the Intercept X detection events. 

    Near the bottom of the details on each of these events, you will see something like this:

         Thumbprint
         e8af5f63e87c0cff320a14bcd22ee467cb7531ec8eb31e7dd95a300b1207c4da

    This is a way of recording the specific operations that occurred when the detection was raised. If the alphanumeric value shown is the same each time, we can add one exclusion to white-list that specific behaviour. The following article describes in further detail the options for exclusion from Sophos Central. 
    - Stop detecting an exploit

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Hi Qoosh,

    Unfortunately the thumbprint are different on each of the devices. The process trace are the same but the loaded modules changes. We do not want to stop checking for this detection. So turning off the exploit mitigation for stack exec is not an option. 

  • If the thumbprint is specific to each device, adding the exclusion for each device may be an option, but it sounds like this is changing every time. 

    I'd suggest trying the hotfix package for Intercept X to see if this has any improvements. 
    - Exploit Prevention cumulative hotfix

    Turning off stack exec for Office 2016 may be the only option, but I'd suggest opening a case with our support team to see if anything further can be done to mitigate this.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Daina.

    I hope you found a "fix" for this.

    I experience the same issue with a client using Excel. We've tried a global exclusion in Central not to look for StackExec, but after working with Sophos Support back in January, now we create an exception for the thumbprint and often the thumbprint is the same across machines, but not always. 

    The issue comes up every few months. Office apps updated, changing the thumbprint. Currently running Microsoft 365 apps for business 16.0.16327.20248, released April 21, 2023 running on Windows 10.

    Event Log

    Log Name: Application
    Source: HitmanPro.Alert
    Date: 5/16/2023 2:02:05 PM
    Event ID: 911
    Task Category: Mitigation
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: BBG-TC-AIO3.xxxxxxx.local
    Description:
    Mitigation StackExec V2
    Policy StackExec
    Timestamp 2023-05-16T20:02:05

    Platform 10.0.19045/x64 v1237 06_a7*
    PID 16640
    WoW x86
    Enabled 007D2E3004000004
    Application C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    Created 2023-05-12T21:34:10
    Modified 2023-05-12T21:34:11
    Description Microsoft Excel 16

    <---cut out some of the chaff--->

    Thumbprint
    a589118907bd6498fc566cb900d37486e1edd3fee20000dc67878d6bef87c140</Data>
    </EventData>
    </Event>

    I have an exclusion for a589118907bd6498fc566cb900d37486e1edd3fee20000dc67878d6bef87c140. I compared the strings and they are identical (paste them both into Notepad++ and highlight one).

    Sophos Endpoint ignores the global exclusion.

    I applied the "hotfix" which has been a "hotfix" for at least the first half of this year but the hotfix hasn't fixed this permanently.

    I tried to create a global exclusion for StackExec but I noted the below error where it appears this won't apply for Excel.

    This is a false detection, and I would love it if Sophos would give us a permanent fix instead of a customer complaining again and us going and excluding it again, each time there is an update to office. It pretty much shuts a particular customer down each time this happens.

    They are unhappy and don't want Sophos for their endpoint defense product any longer.

    We don't have a solution and still struggle with this. Sophos's solution is to exclude based on the thumbprint but this is not a permanent fix. It's a sometimes fix.

    This is not fun at all. I don't like dealing with frustrated customers because the vendor is too heavy handed with security. They aim their frustration at me. I really get how important security is, but we need a way to "FIX" this instead of struggling or disabling functionality in Sophos Endpoint which opens the customer up for real threats.

    I've already burned a lot of time with Sophos Support on this and I'm not the only one here, we have over 20 techs here at this MSP and multiple techs and engineers have fought with this. Guess I need to throw more money on the fire. Or disable ransomware protection so the customer's employees can work.

      I hope you have some ideas!

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Hi David,

    Apologies for the frustration. I want to work with you to get your feedback to the correct folks here at Sophos so we can look at making some improvements. 

    I will follow up with you via PM.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids