Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 4070 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to reduce Stack Exec detections

Daina McFarlane

Recently we noticed that we are receiving over five detections on a given day for Stack Exec. The threat graph for all detections are identical with the root cause been Microsoft Office 2016. The reputation for Microsoft Office is good and the file is legitimate. We are using Starquery so the detections are triggering on the sqlengine.dll, symtraxas400provider.dll among other .dll files based on the 'uncertain reputation'. These files are legacy based on the fact that the application was written along time ago for certain criteria which as not changed over the years  

In investigating these alerts the only option given is block and clean. That option cannot be use as the application is needed. Can an exclusion be created for this specific starquey detection? How can this detection be reduce?

Are others receiving this detection and how do you address it?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Daina,

    I suggest checking if the thumbprint (or 'Detection ID') is the same. You can find this in the Windows Event Viewer > Application Event logs. Try filtering by Event ID 911. This will return all of the Intercept X detection events. 

    Near the bottom of the details on each of these events, you will see something like this:

         Thumbprint
         e8af5f63e87c0cff320a14bcd22ee467cb7531ec8eb31e7dd95a300b1207c4da

    This is a way of recording the specific operations that occurred when the detection was raised. If the alphanumeric value shown is the same each time, we can add one exclusion to white-list that specific behaviour. The following article describes in further detail the options for exclusion from Sophos Central. 
    - Stop detecting an exploit

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hi Qoosh,

    Unfortunately the thumbprint are different on each of the devices. The process trace are the same but the loaded modules changes. We do not want to stop checking for this detection. So turning off the exploit mitigation for stack exec is not an option. 

  • 0 in reply to Daina McFarlane

    If the thumbprint is specific to each device, adding the exclusion for each device may be an option, but it sounds like this is changing every time. 

    I'd suggest trying the hotfix package for Intercept X to see if this has any improvements. 
    - Exploit Prevention cumulative hotfix

    Turning off stack exec for Office 2016 may be the only option, but I'd suggest opening a case with our support team to see if anything further can be done to mitigate this.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
No Data
Unfiltered HTML