Thread Info
  • State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 652 views
  • Users 0 members are here
Options
Suggested

Lockdown while saving MS Office mail attachments on share: C:\Windows\SysWOW64\rundll32.exe

LHerzog

Users received legitimate word files via Outlook.

When received they opened and edited the attachment directly (explains the AppData\Local\Temp\NDFCE93.tmp filename) an then while then saving the file on the Windows Server SMB file share, their Sophos EP creates a lockdown event for C:\Windows\SysWOW64\rundll32.exe

This is happenign since today for a few users that have not changes their way of work. I have asked them to do exaclty the same with the same mail attachment after a reboot and it could not reproduce the issue.

Licensed     Assigned     Version
Core Agent        2024.1.0.46
Sophos Intercept X        2023.2.1.6
Device Encryption        2023.2.0.7
Managed Detection and Response        2023.2.0.3
XDR        2024.1.0.46

Is this a new and known issue?

Details like:

Detection type Lockdown

Application

PathC:\Windows\SysWOW64\rundll32.exe

Version10

PID14420

Detection IDae580bbd997cec514fae8b611df72ae52e03e4017e39bce46bc3f06f4c1b900a

Mitigation   Lockdown
Policy       LockdownNewFile
Timestamp    2024-03-26T13:40:23

Platform     10.0.19045/x64 v3 06_8e-
PID          14420
WoW          x86
Enabled      08FDAE3A40000004
Silent       0080800000000000
Application  C:\Windows\SysWOW64\rundll32.exe
Created      2023-11-20T14:12:24
Modified     2023-11-20T14:12:24
Description  Windows host process (Rundll32) 10

Filename     C:\WINDOWS\system32\msdt.exe

Lockdown type:    LolBin

Command line:
 -skip TRUE -path "C:\WINDOWS\diagnostics\system\networking" -af "C:\Users\XXXXX~1\AppData\Local\Temp\NDF82B2.tmp" -ep "NetworkDiagnosticsSharing"

Loaded Modules (43)

Or:

Detection type Lockdown

Application

PathC:\Windows\SysWOW64\rundll32.exe

Version10

PID22208

Detection ID2b7c55ff0422b6e9674a1b6842768914918eb75772fc7236febd7d6eac914a07

Mitigation   Lockdown
Policy       LockdownNewFile
Timestamp    2024-03-26T12:57:29

Platform     10.0.22621/x64 v3 06_ba*
PID          22208
WoW          x86
Enabled      08FDAE3A40000004
Silent       0080800000000000
Application  C:\Windows\SysWOW64\rundll32.exe
Created      2022-05-07T05:19:48
Modified     2022-05-07T05:19:48
Description  Windows host process (Rundll32) 10

Filename     C:\Windows\system32\msdt.exe

Lockdown type:    LolBin

Command line:
 -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\xxxxxx\AppData\Local\Temp\NDFCE93.tmp" -ep "NetworkDiagnosticsSharing"

Loaded Modules (36)



Added tags
[edited by: GlennSen at 2:30 AM (GMT -7) on 2 Apr 2024]
  • 0

    Thank you for reaching out to the community forum.

    I suspect some update on the PC/endpoint software, especially to Sophos IX, triggers a notification and is refreshed after you've performed restart on the device. However I suspect that this detection is a False-Positive one. 

    If by Any Chance, this error occurs again in the near future, we would like to ask for your assistance in capturing the logs while the issue is present to investigate further. 

    Also, I will be sharing this Article related to lockdown detection to explain better why lockdown detections happen. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Unfiltered HTML