This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exploit prevention type explaination

[Rant]

Sophos has been pushing exploit prevention feature heavily on both cloud( Intercept X) and on-premises( Exploit Prevention) recently but it seems to me that Sophos rather pour resources into marketing instated of their kb team documenting and explaining the actual functionalities in their products. Let me elaborate.

Here's an example:

The above screenshot is taken by one of my customer from his Sophos Enterprise Console within computer details under Exploit Prevention Events section.

From an Anti-Virus Admin's perspective this information is utterly useless. Why? Because a simple google with keywords: sophos, internet explorer, rop, and exploit prevention returns nothing.

In fact this is the top result: https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/96410/rop-exploit-prevented-in-internet-explorer---but-only-when-when-outlook-is-running#pi2151filter=all&pi2151scroll=false

Suggested Answer: Open a support ticket. 

 

As a partner I find this extremely infuriating consider that we are always bombarded with questions from our customers looking for an explanation for exploit prevention events they found within their environments and yet we are not well-equipped with the relevant knowledge. 

We understand that the root cause for events from exploit prevention can be overwhelmingly difficult to determine and identify. But a general direction or a simple definition are always suffice to answer our customer's questions effectively and efficiently.  

 

Every time when I open a ticket to ask for a definition I don't feel like working in the Information Industry instead I feel like a courier delivering messages between Sophos and the customers. And that kills the enthusiasm of many. 



This thread was automatically locked due to age.
Parents
  • Hi,

    From a customer's or even partner's standpoint I completely agree with you that sometimes - especially when these events are in the counts of hundreds, it becomes difficult to investigate or answer questions about them.

    The first clue should always be Application Event Logs - Filter by 911 Event. Generally, this event holds 90% of the information relevant to the detection and from there, we generally advise you to contact Sophos Support. Reason being, every detection made by CIX is due to a solid reason and even if it's a false positive, the advice should come from us. More often than not, Outlook may be configured to use 3rd Party Plugins(let's say DLL) which may be loaded from a network share - and this is what malware loves to do! The 911 Event should have this information. :)

    But that shouldn't prevent our customers from knowing what exactly happened. 

    I did a quick Google Search for 'Sophos exploits explained' and we have this wonderful PDF enlisting each and every exploit against which we protect you. The explanations are lucid and should be enough to be shared with the customer. 

    https://secure2.sophos.com/en-us/en-us/medialibrary/Gated-Assets/white-papers/Sophos-Comprehensive-Exploit-Prevention-wpna.pdf?la=en

    That being said, let us know if you have any further questions. 

    You can always raise a support request here - https://secure2.sophos.com/en-us/support/contact-support.aspx 

    Thanks,

    Vikas

    Global Escalations Engineer

  • Thanks for the information. 

     

    Sophos Enterprise Console customers who purchase exploit prevention do not get to enjoy the pretty RCA graph as the central customers do and therefore most of the questions we get regarding exploit prevention are from enterprise console customers.  

    I would like to hear from other partners about how to deal with customers. 

     

    po 

Reply
  • Thanks for the information. 

     

    Sophos Enterprise Console customers who purchase exploit prevention do not get to enjoy the pretty RCA graph as the central customers do and therefore most of the questions we get regarding exploit prevention are from enterprise console customers.  

    I would like to hear from other partners about how to deal with customers. 

     

    po 

Children