How to reduce Stack Exec detections

Question

Recently we noticed that we are receiving over five detections on a given day for Stack Exec . The threat graph for all detections are identical with the root cause been Microsoft Office 2016. The reputation for Microsoft Office is good and the file is legitimate. We are using Starquery so the detections are triggering on the sqlengine.dll, symtraxas400provider.dll among other .dll files based on the 'uncertain reputation'. These files are legacy based on the fact that the application was written along time ago for certain criteria which as not changed over the years 
 In investigating these alerts the only option given is block and clean. That option cannot be use as the application is needed. Can an exclusion be created for this specific starquey detection? How can this detection be reduce? 
 Are others receiving this detection and how do you address it?

Qoosh · Answer

Hi Daina , 
 I suggest checking if the thumbprint (or 'Detection ID') is the same. You can find this in the Windows Event Viewer > Application Event logs. Try filtering by Event ID 911. This will return all of the Intercept X detection events. 
 Near the bottom of the details on each of these events, you will see something like this: 
 Thumbprint e8af5f63e87c0cff320a14bcd22ee467cb7531ec8eb31e7dd95a300b1207c4da 
 This is a way of recording the specific operations that occurred when the detection was raised. If the alphanumeric value shown is the same each time, we can add one exclusion to white-list that specific behaviour. The following article describes in further detail the options for exclusion from Sophos Central. - Stop detecting an exploit

How to reduce Stack Exec detections

Top Replies