Occasionally customers may encounter times when an application that previously has not exhibited any 'malicious' behaviour is flagged as triggering an exploit detection in Sophos Intercept X or Sophos Exploit Prevention. This can, of course, be frustrating for customers; however this article aims to explain some of the causes for this potential change and additionally what customers can do to either resolve or work with Sophos to understand and resolve these alerts.
The following sections are covered:
Applies to the following Sophos products and versions Central Endpoint Intercept X 2.0.14Exploit PreventionCentral Server Intercept X 2.0.8
There are a number of reasons why an application could suddenly become detected by Intercept X or Exploit Prevention when previously it had not been. These include (but are not limited to) the below:
Our Development and Threat Research teams are always striving to improve the level of protection for our customers. This routinely involves improving and changing our detections, following research and intelligence on new and emerging threats, and unfortunately there are times when this can result in new detections.
There are times when an application (especially one reaching or beyond the end of it's supported life-cycle) becomes vulnerable to a particular exploit technique. At these times we are likely to more closely monitor that application for that particular technique and you may see additional detections in day to day use as the application is carrying out behaviour that uses that exploitable functionality and therefore triggers our detections.
Unfortunately there are times when a 'new' detection is in fact related to a true and ongoing attempt to exploit the application in question. In that case if you are seeing a detection you can be confident that the specific behaviour detected has been remediated against. However it may be indicative of a wider breach or attack on your systems so you should then take actions to investigate, mitigate and remediate the cause of these detections.
If you truly believe that the detection being raised is against a fully trusted application or is a false positive then you have options available to you:
As there are times when older versions of applications can become vulnerable to exploit techniques we would suggest that customers:
If the behaviour detected is unfounded and there is any concern that the reported alert is due to a breach or malicious attack on your systems then we would suggest the below:
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.