"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
After installing the Gas Technologia G-Buster plugin (Also known as 'Banco do Brasil G-buster plugin’, ‘Santander G-buster plugin' or 'Banco Itaú Unibanco Setup' and GPLUGIN) the endpoint reports a BOPS alert when opening Internet Explorer and also generates a HIPS alert in Explorer.exe. It has also been reported in Microsoft Office application executable files.
Example SAV.TXT entry:
Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'Buffer Overflow'. %%INSERTION_TAG%%Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-002'.
This can also be seen in an increase in CPU utilization when using this plugin.
First seen in Sophos Anti-Virus for Windows 2000+
The G-Buster plugin features a component that shares the common characteristics of a Ret2LibC buffer overflow detection. A HIPS alerts can also occur when the plugin loads hooks into Explorer.exe.
Newer versions of this plugin can also encounter higher system load due to HIPS interceptions of calls made by this plug-in.
You may receive one or both types of detection alerts from endpoints.
Note: Disabling protection features and authorizing applications should be used with caution, authorizing applications prevents further HIPS detection from taking place, disabling BOPS will no longer detect buffer overflow events on your endpoints.
We strongly recommend that you only change the policy settings on endpoints that are affected by the problem.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.