Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat Analysis Center / Detections: "Vulnerability SRP path rules missing" caused by MDR checks

The detections section in Threat Analysis Center is filling with many of these events caused by MDR checks.
SRP seems to be related to Microsoft Software Restriction Policies.
What is the intension of this check?
"COMPLIANCE-SRP-DISALLOWED-PATHS"



This thread was automatically locked due to age.
Parents
  • I'm pretty sure it's to do with Software Restiction Policies under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144

    This seems to be referenced in the query pack file

    Do you have a any rules on the computers with the error?

  • No, thats empty by default and is why it triggers the alert.

  • If you create the default 2 additional rules as shown in the previous screenshot. I assume it clears from the future.


    I suppose you can do the same via Group Policy.

    What version of the query pack do you have:

    C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\version.txt

    Thanks.

  • Adding reg keys could be one workaround.
    "1.16.54"

  • Creating a default SRP GPO will neither block or allow something special. It is just that there is something configured for the default MS System folders.

    Sounds like the Query scanning for SRP registry keys in that way does not make much sense.

    It only creates "log noise".

  • We're seeing the same issue. When I look at Software Restriction Policies | Microsoft Learn I see that this technology is deprecated and replaced by Windows Defender functionality.

    While creating the necessary keys through GPO sounds like a good workaround, I'm somewhat reluctant to make changes in my enterprise infrastructure just to avoid noise in the security software, unless it's a change that is necessary for security. 

    I would also love to know why the detection triggers on a deprecated function that a user can choose to activate or not. Are there people from Sophos on the community forums, or should this best be ticketed to support as an inquiry?

  • I just faced it today. SRP path rules are missing.
    If I want to get rid of these sophos alerts I need to create a default SRP?

  • I have asked Support the question why it detects this seemingly harmless deprecated function, and like what's said in Central itself, the response was "These detections are for information only unless you have an MDR license." Which I don't (hoping to get one soon). It's still a shame it clutters up the new, extremely useful dashboard so much.

    Today I've created a default SRP policy on my workstation and set the default security level to "Basic User" to test if it has any adverse side-effects and to see if the detections change. I'll post the results in a few days as the detections occur on different times of day.

    Edit: A default SRP policy with default security level set to 'basic' doesn't change a thing. It still complains about missing rules, and I'm not prepared to deploy an application whitelisting system just to get rid of the detection. Guess I'm living with it.

  • Ah I see makes sense that they are just for information purpose (no MDR either) but indeed it clutters pretty much around (poor dashboard)

  • "detections identify activity on your devices that's unusual or suspicious but hasn't been blocked. They're different from events where we detect and block activity that we already know to be malicious." Sadly you dont get any information via support. The reason is simple, they want to sell MDR ;-)

Reply
  • "detections identify activity on your devices that's unusual or suspicious but hasn't been blocked. They're different from events where we detect and block activity that we already know to be malicious." Sadly you dont get any information via support. The reason is simple, they want to sell MDR ;-)

Children
No Data