Thread Info
Options
Suggested

WIN-EVA-PRC-NET-STOP-SOPHOS-1

AndyR

Hello,
I have 100+ Detections on the Threat Analysis Dashboard for a Medium Severity WIN-EVA-PRC-NET-STOP-SOPHOS-1 that occurred yesterday, mostly within minutes of each other. Looking at the RAW Data tab it seems these all share the same command line being detected:

"C:\WINDOWS\system32\NET.EXE\" STOP SophosDataRecorderService",

I'm guessing this is as a result of a maintenance task on Data Recorder rather than anything malicious but cant locate any Event or Log entries that may give further details. I see no other noteworthy Detections in Central for this time period. Can anybody point me in the right direction please to investigate this further?

Many thanks.

Andy.



Edit tags
[edited by: GlennSen at 12:37 PM (GMT -8) on 4 Feb 2025]
  • 0

    Thank you for reaching out to the community forum.

    On your central dashboard, do you see a Parent for Net.EXE? 
    Also, Can you raise a support case regarding this detection and share with us the case ID? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
    • 0 in reply to GlennSen

      Hi Glenn,
      I've raised a case as requested and its number is 02172435. I've added the RAW_Log from one of the detections to the suppoort case as well as enabling Remote Assistance.

      The Parent seems to be either Taskeng.exe OR svchost.exce for all these Detections.

      Thanks.

      Andy.

      • 0 in reply to AndyR

        Thank you, Andy. It looks like you have a running scheduled task trying to kill the process, which triggers this multiple detection. 
        You can try checking it to validate further, or you can check a Live query and see what scheduled task is running on your devices.



        Glenn ArchieSeñas (GlennSen)
        Global Community Support Engineer

        The New Home of Sophos Support Videos!  Visit Sophos Techvids
        • 0 in reply to GlennSen

          Hi Glenn,
          Thanks for the pointer. Looks like we have a very old GPO that attempts to Stop & Start this service. I have a vague recollection this was done many years ago to purge old logs or data due to a known fault in that Sophos Service at the time.

          We're going to remove this GPO. Thanks for your help. I'll update and cancel the ticket.

          Andy.

      Unfiltered HTML