This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion attack via Windows Vulnerability

Hi,

May I know do SOPHOS End Point Protection provide the features to detect and prevent the intrusion attack via Windows vulnerability such as MS17-010?

I did the MS17-010 attack on vulnerable machine successfully, but SOPHOS detect nothing unless i clicking on Scan button and then the following result is shown:

"Troj/MeterMem-A detected in Memory"

The followings are details for SOPHOS Product subscribed:

Core Agent: 2.3.0

Endpoint Advanced: 10.8.3.441

Sophos Intercept X: 2.0.14

Cheers,

Gary

This thread was automatically locked due to age.

0 SaschaParis1 over 5 years ago

Did you enable the APC Prevention ? From my memory this should be the feature to block MS17-010 attack. This settings is per default still off in sophos central threat prevention policy.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary Kong over 5 years ago in reply to SaschaParis1
Hi SaschaParis1,

Yes, APC Prevention is enabled.

Besides that, the features below are all enabled:

Live Protection

Real-time Scanning - Local Files and Network Shares

Real-time Scanning - Internet

Remediation

Runtime Protection

Cheers,

Gary
Cancel
Vote Up 0 Vote Down

Cancel
0 Vikas over 5 years ago in reply to Gary Kong

Hi Gary,

As Sascha correctly pointed out, APC Violation is quite robust in mitigating a remote exploitation attempt using EternalBlue. You're getting a Troj/Meter-M detection which can only happen in the later stages of attack i.e. APC Violation should've acted first! We fired MeterM to counter the Metepreter shell which we don't let establish in the first place if Intercept X is correctly configured and all protection levels are functional! :)

Please feel free to DM me with all the details and I'll be happy to fill in the gaps.

Thanks,

Vikas
Cancel
Vote Up 0 Vote Down

Cancel