Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 20700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HitmanPro Test Tool results

JSWVLCM

So far I've deployed the beta to two Windows 7 Professional laptops, both with Sophos Cloud installed.  I created a custom policy and assigned both laptops to it.  I downloaded/ran the HitmanPro Test Tool http://dl.surfright.nl/hmpalert-test.exe on both laptops, following the instructions in the manual http://dl.surfright.nl/Exploit%20Test%20Tool%20Manual.pdf and no alerts were generated and none of the simulated attacks were blocked.  I made sure all the required parts of the policy were enabled under Threat Protection.  Interestingly, I notice that the Ultimate-Intercept features appear in all of our Cloud polices.  Is my thinking correct that endpoints assigned to other policies won't be affected unless they've actually been assigned to the beta using Early Access Programs/Manage?  Shouldn't I be seeing alerts and the simulated attacks generated by the test tool getting blocked?



This thread was automatically locked due to age.
  • 0

    Ultimate - Intercept features will be used by devices with the beta agent; all other devices will ignore the settings.

    First the obvious question.  You have enabled the relevant policy settings for exploit prevention and the policy is assigned to the user who is logged into the devices?

  • 0 in reply to Rincewind

    Yes I have enabled the relevant policy settings and have followed the instructions listed in the Ultimate Intercept Beta Deployment Phase2 PowerPoint document that I received and do have the cloned policy assigned to the user (me) who is logged on to both devices.  I just went through the policy settings again and confirmed the policy is set as described on slide 9 (New policy settings - known issues) of the PowerPoint document.

  • 0 in reply to JSWVLCM

    Hi JSWVLCM, 

    Can you have a look at what licenses you have, you should have "Endpoint Ultimate" with type Beta or EAP as well as your other endpoint licence.

    Next double check that the endpoints are actually in the EAP, find the computers under Computers and check that you have the "Quit STAC" buttons for both

    Next check that you have a policy for exploits by opening up the registry (regedit) and going to HKLM>Software>HitmanPro.Alert and checking the string value "ExploitMitigations" with value "on"

    If these are all set correctly can you try the detection tool again to see if you can detect an exploit.

    Thanks,

    Mark

  • 0 in reply to MarkD

    MarkD said:

    Hi JSWVLCM, 

    Can you have a look at what licenses you have, you should have "Endpoint Ultimate" with type Beta or EAP as well as your other endpoint licence.

    Thanks Mark, I looked at our licenses and it shows: Enduser Protection Full and Server Standard Protection Full but don't see Endpoint Ultimate

    Next double check that the endpoints are actually in the EAP, find the computers under Computers and check that you have the "Quit STAC" buttons for both

    Yes there is a "Quit STAC" button on both computers

    Next check that you have a policy for exploits by opening up the registry (regedit) and going to HKLM>Software>HitmanPro.Alert and checking the string value "ExploitMitigations" with value "on"

    I checked that on both computers and don't see that registry key.  Both computers do have the little-blue S (Sophos UI) icon in the lower-taskbar next to the Sophos Protection shield. 

    If these are all set correctly can you try the detection tool again to see if you can detect an exploit.

    Thanks,

    Mark

  • 0 in reply to JSWVLCM

    Can you leave the EAP and join it again, hopefully you'll get the Endpoint Ultimate licence then. After you get this licence everything should work

  • 0 in reply to MarkD

    Yep that did the trick, thanks Mark!  I'll test again with the test tool and will see how it goes now.

    Really appreciate the help with this!  [Y]

  • 0

    I am using EAP Ultimate subscription and the policies are setup however the test proved no results on 100 percent of the test was a fail. Could some one assist me in understanding how this threat analysis tool in sophos central is supposed to work. How can we test it.

Unfiltered HTML