Threat Analysis Center / Detections: "Vulnerability SRP path rules missing" caused by MDR checks

Yes, I want to know too

I'm pretty sure it's to do with Software Restiction Policies under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144

This seems to be referenced in the query pack file

Do you have a any rules on the computers with the error?

No, thats empty by default and is why it triggers the alert.

If you create the default 2 additional rules as shown in the previous screenshot. I assume it clears from the future.


I suppose you can do the same via Group Policy.

What version of the query pack do you have:

C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\version.txt

Thanks.

Creating a default SRP GPO will neither block or allow something special. It is just that there is something configured for the default MS System folders.

Sounds like the Query scanning for SRP registry keys in that way does not make much sense.

It only creates "log noise".

We're seeing the same issue. When I look at Software Restriction Policies | Microsoft Learn I see that this technology is deprecated and replaced by Windows Defender functionality.

While creating the necessary keys through GPO sounds like a good workaround, I'm somewhat reluctant to make changes in my enterprise infrastructure just to avoid noise in the security software, unless it's a change that is necessary for security. 

I would also love to know why the detection triggers on a deprecated function that a user can choose to activate or not. Are there people from Sophos on the community forums, or should this best be ticketed to support as an inquiry?

We're seeing the same issue. When I look at Software Restriction Policies | Microsoft Learn I see that this technology is deprecated and replaced by Windows Defender functionality.

While creating the necessary keys through GPO sounds like a good workaround, I'm somewhat reluctant to make changes in my enterprise infrastructure just to avoid noise in the security software, unless it's a change that is necessary for security. 

I would also love to know why the detection triggers on a deprecated function that a user can choose to activate or not. Are there people from Sophos on the community forums, or should this best be ticketed to support as an inquiry?

After raising your concerns to our teams internally, I was informed that the detections related to Software Restriction Policies will be disabled in an upcoming release.

That is very good news, thank you.

We do understand that when looking at the 'detections' we're kind of looking "under the hood" of the Sophos engine and many detections are just observations (like a changed user, password incorrect, etc) and are mainly for MDR purposes. But, especially with the new user friendly dashboard graphs, end users can also keep a better eye on their environment (even those with MDR). If these 'medium' alerts will be gone (or informational) in the future, the view will be so much clearer.

Thanks!