WIN-EVA-PRC-NET-STOP-SOPHOS-1

AndyR 6 hours ago

Hello,
I have 100+ Detections on the Threat Analysis Dashboard for a Medium Severity WIN-EVA-PRC-NET-STOP-SOPHOS-1 that occurred yesterday, mostly within minutes of each other. Looking at the RAW Data tab it seems these all share the same command line being detected:

"C:\WINDOWS\system32\NET.EXE\" STOP SophosDataRecorderService",

I'm guessing this is as a result of a maintenance task on Data Recorder rather than anything malicious but cant locate any Event or Log entries that may give further details. I see no other noteworthy Detections in Central for this time period. Can anybody point me in the right direction please to investigate this further?

Many thanks.

Andy.

Parents

0 GlennSen 3 hours ago

Thank you for reaching out to the community forum.

On your central dashboard, do you see a Parent for Net.EXE?
Also, Can you raise a support case regarding this detection and share with us the case ID?

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AndyR 3 hours ago in reply to GlennSen

Hi Glenn,
I've raised a case as requested and its number is 02172435. I've added the RAW_Log from one of the detections to the suppoort case as well as enabling Remote Assistance.

The Parent seems to be either Taskeng.exe OR svchost.exce for all these Detections.

Thanks.

Andy.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 GlennSen 2 hours ago in reply to AndyR

Thank you, Andy. It looks like you have a running scheduled task trying to kill the process, which triggers this multiple detection.
You can try checking it to validate further, or you can check a Live query and see what scheduled task is running on your devices.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 GlennSen 2 hours ago in reply to AndyR

Thank you, Andy. It looks like you have a running scheduled task trying to kill the process, which triggers this multiple detection.
You can try checking it to validate further, or you can check a Live query and see what scheduled task is running on your devices.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 AndyR 1 hour ago in reply to GlennSen

Hi Glenn,
Thanks for the pointer. Looks like we have a very old GPO that attempts to Stop & Start this service. I have a vague recollection this was done many years ago to purge old logs or data due to a known fault in that Sophos Service at the time.

We're going to remove this GPO. Thanks for your help. I'll update and cancel the ticket.

Andy.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel