This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat Analysys Test

Hi

Everything appears to be working fine, when testing. The exploits from the HMP test tool are getting blocked correctly. 

Is there a test that will trigger an event in the Threat Analysis section for me to show that functionality working?

Thanks

Gavin



This thread was automatically locked due to age.
Parents
  • Hi Gavin,

    Almost all of the test exploits should trigger an RCA so you should be seeing this in the Threat Analysis section already. If you aren't can you let me know which ones you've tried so I can see if I can replicate and further diagnose why you aren't getting RCA's being generated?

    Thanks,

    Mark

  • Hi Mark

    I have tried this again this morning. I ran the Unpiviot Stack exploit from the test tool. The endpoint blocked the exploit and i can see the exploit in recent events section under my laptops details in central.

    'ROP' exploit prevented in Exploit Test Tool (32-bit) 1.9.2 Jul 4, 2016 12:20:22 PM

    but nothing is going in to the threat analysis section.

    Regards

    Gavin

  • Thanks for the extra info, if you could try Stack Pivot 1 against the 32bit version of Firefox, this should generate a RCA. If you think one should be generated and it isn't, check the ssp.log in C:\programdata\Sophos\Sophos System Protection\Logs and you'll probably see "Could not find a root cause for a beacon event". This is expected when you are running the tool against itself, if you run against firefox there should be a RCA.

Reply
  • Thanks for the extra info, if you could try Stack Pivot 1 against the 32bit version of Firefox, this should generate a RCA. If you think one should be generated and it isn't, check the ssp.log in C:\programdata\Sophos\Sophos System Protection\Logs and you'll probably see "Could not find a root cause for a beacon event". This is expected when you are running the tool against itself, if you run against firefox there should be a RCA.

Children
  • Hi Mark

    I am getting some interesting results:

    Cloud device log:

    'StackExec' exploit prevented in Exploit Test Tool (32-bit) 1.9.2 Jul 4, 2016 2:56 PM
    'StackExec' exploit prevented in Firefox 45.0.2 Jul 4, 2016 2:55 PM
    'ROP' exploit prevented in Firefox 45.0.2 Jul 4, 2016 2:51 PM
    'StackPivot' exploit prevented in Firefox 45.0.2 Jul 4, 2016 2:50 PM
    'StackPivot' exploit prevented in Firefox 45.0.2 Jul 4, 2016 2:47 PM

    Threat analysis

    Medium Exploit StackPivot New Jul 4, 2016 2:59 PM Gavin Wood XPS04

    SSP Log:

    I 04/07/2016 11:33:22 Service start requested
    I 04/07/2016 11:33:23 Sophos System Protection 2.3.0.74
    I 04/07/2016 14:57:13 Process starting
    I 04/07/2016 14:57:13 Service start requested
    I 04/07/2016 14:57:14 Sophos System Protection 2.3.0.74
    I 04/07/2016 15:04:48 Could not find a root cause for a beacon event.
    I 04/07/2016 15:06:10 Could not find a root cause for a beacon event.

    I am getting all events logged in the cloud dashboard. Some are logged in the SSP.log and only 1 has been entered in to the Threat analysis screen,

    Regards

    Gavin

  • Hi Gavin,

    Without a beacon being detected or a root cause found, we won’t generate a RCA or a Threat Analysis case in the Cloud.  However in such instances you will see the detections in the list of Events in the Cloud console.  We are aware of an issue whereby the detection name in the Threat Analysis case does not reflect the name of the detection that led to the RCA being produced.  Work is currently in progress to fix this issue.

     With regards to the four exploits shown in your screenshot, was a Desktop/pop-up message displayed when they were detected?  If so, then I would expect us to attempt to perform a RCA.  If not, it is unlikely that RCA would be attempted.

    Thanks

    Mark

  • Guys,

    I have tested all this my self. I ran a stack pivot 1 against firefox 51.0.1 x32 got the Sophos clean message of scanning and received the alert of a exploit. Below are the screen shots of the cloud portal and the endpoint as well the logs. Still not showing in the root cause analysis. what am I missing.

     

     

    I 17/04/2017 14:46:08 Process stopping
    I 17/04/2017 14:46:08 Sophos System Protection is shutting down (0)
    I 17/04/2017 14:46:08 The Sophos System Protection service has stopped
    I 17/04/2017 14:46:09 Process starting
    I 17/04/2017 14:46:09 Service start requested
    I 17/04/2017 14:46:09 Sophos System Protection 2.6.0.71
    I 27/04/2017 11:20:07 Process starting
    I 27/04/2017 11:20:07 Service start requested
    I 27/04/2017 11:20:07 Sophos System Protection 2.6.0.71
    I 27/04/2017 13:15:33 The service has been requested to stop
    I 27/04/2017 13:15:33 Process stopping
    I 27/04/2017 13:15:33 Sophos System Protection is shutting down (0)
    I 27/04/2017 13:15:33 The Sophos System Protection service has stopped
    I 27/04/2017 13:15:42 Process starting
    I 27/04/2017 13:15:42 Service start requested
    I 27/04/2017 13:15:42 Sophos System Protection 2.6.0.71
    I 27/04/2017 13:17:50 Process starting
    I 27/04/2017 13:17:50 Service start requested
    I 27/04/2017 13:17:50 Sophos System Protection 2.6.0.71