I am getting hundreds of these error messages. Uninstalling and reinstalling Sophos hasn't helped.
What can I do to either stop these messages or fix the root cause?
This thread was automatically locked due to age.
I am getting hundreds of these error messages. Uninstalling and reinstalling Sophos hasn't helped.
What can I do to either stop these messages or fix the root cause?
Thank you for reaching the community forum.
Can you share with us more details about this detection? Can you check which application triggered this detection and its path on your central dashboard? Based on the event, this detection is Shellcode (DynamicShellcode) Exploit which is being detected by our Dynamic Shell code protection under Intercept X. To further understand what this exploit is and how our feature works, I'll share this Documentation.
The Event Log service - as per subject
When checking the "Threat Analysis Center" are you able to find any further details recorded surrounding the detection event?
The following article goes into further detail regarding what to do when you see a DynamicShellcode detection. You can also find this linked directly from the detection event in Sophos Central.
- Sophos Central Admin: Dynamic Shellcode
You can find resources on many exploit detections in the following blog post.
- New Exploit Mitigation Help
When checking the "Threat Analysis Center" are you able to find any further details recorded surrounding the detection event?
The following article goes into further detail regarding what to do when you see a DynamicShellcode detection. You can also find this linked directly from the detection event in Sophos Central.
- Sophos Central Admin: Dynamic Shellcode
You can find resources on many exploit detections in the following blog post.
- New Exploit Mitigation Help
Thanks, but I've already read that link and it does nothing and says nothing, other than how to add an exception if there is an application using memory that regular applications do not. Clearly the Windows Event Viewer is a regular application, so I don't want to add an exception. That's a lazy way out that may be allowing a problem to occur without detection. If it was a useful article with troubleshooting steps to actually fix/resolve the issue, I wouldn't need to post on the forums.
Threat analysis says nothing either, or again, I wouldn't be here. Says the Windows Event Service has an unknown reputation (I find that very hard to believe). SFC /scannow finds no integrity issues.
If you suspect this may be a false positive, installing the hotfix package for Intercept X may help.
If the detection is occurring consistently, it may help to run Process Monitor or Process Explorer on the device to gather additional details surrounding the execution of the wevtsvc.exe process.
You can also try using the Live Discover query Sophos PID and reputation of all running processes as a starting point to run queries against the device to investigate further.
After four days back and forth with Sophos Technical Support trying to get me to pay money to get it investigated, I managed to solve this problem myself.
If anyone else comes across this error, the fix is to uninstall Sophos and reboot. Then download Norton Antivirus, the free "power eraser" from its website and it will get rid of the Malware with no problem whatsoever. You can then re-install Sophos and hope that next time it is about to clean the malware itself.
