This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exploit Prevention Events Action

Hello Good Day to All.

I have query regarding Exploit Prevention Events, where can i see or what actions done on the detected exploit in my Exploit Prevention Events Viewer?



This thread was automatically locked due to age.
Parents Reply Children
  • Hello vsmacuanajr,

    sorry, apparently there isn't more information in the console (I don't yet have an additional EXP license so it was merely a guess and I should have said so).
    Seems it just logs to the Windows Event Log, dunno if the action is recorded though. I assume it terminated the process.

    Christian

  • No, an action isn't being logged in Windows event log.

     

    Here is example from event log of a ROP mitigation event.

     

    Mitigation   ROP

    Platform     10.0.14393/x64 v583 06_4e
    PID          13840
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11

    Callee Type  AllocateVirtualMemory
                 0x1653C000 (4096 bytes)

    Branch Trace                      Opcode  To                              
    -------------------------------- -------- --------------------------------
    0x57981802 mscorwks.dll              RET  0x57982511 mscorwks.dll ^008B   

    0x57982479 mscorwks.dll              RET  0x57982579 mscorwks.dll ^00ED   

    0x57990126 mscorwks.dll              RET  0x579901D9 mscorwks.dll ^0003   

    0x579901A9 mscorwks.dll              RET  0x579901CC mscorwks.dll ^0006   

    0x57990113 mscorwks.dll              RET  0x579901BD mscorwks.dll ^000A   

    0x57990074 mscorwks.dll              RET  0x57990159 mscorwks.dll ^0001   

    0x579900A7 mscorwks.dll              RET  0x57990073 mscorwks.dll ^0001   

    0x57990083 mscorwks.dll              RET  0x579900A6 mscorwks.dll ^0001   

    0x57984BAF mscorwks.dll              RET  0x57990082 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x57984BAF mscorwks.dll ^0004   

    0x57984C21 mscorwks.dll              RET  0x57984C0E mscorwks.dll ^0004   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984C08 mscorwks.dll ^0002   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984BFB mscorwks.dll ^0002   

    RtlTryEnterCriticalSection +0x2c     RET  0x57984BED mscorwks.dll ^0033   
    0x77ABC8DC ntdll.dll                                                      

    0x57984C34 mscorwks.dll              RET  0x57984C3A mscorwks.dll ^0001   

    0x579843D7 mscorwks.dll              RET  0x57984C34 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x579843D7 mscorwks.dll ^0009   

    0x5798438E mscorwks.dll              RET  0x579843D2 mscorwks.dll ^0338   

    MsgWaitForMultipleObjects +0x77    ~ RET* 0x0010B7ED iexplore.exe ^0002   
    0x74678EE7 user32.dll                                                     

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x74 ^0057
    0x7468D3B7 user32.dll                     0x74678EE4 user32.dll           

    MsgWaitForMultipleObjects +0x1fc   ~ RET  MsgWaitForMultipleObjects +0x68 ^0002
    0x7467906C user32.dll                     0x74678ED8 user32.dll           

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x1f9 ^014C
    0x7468D3B7 user32.dll                     0x74679069 user32.dll           

    NtUserCallNoParam +0xc             ~ RET  MsgWaitForMultipleObjects +0x1d5 ^00E9
    0x745824DC win32u.dll                     0x74679045 user32.dll           

    Wow64SystemServiceEx +0x257        ~ RET  TurboDispatchJumpAddressEnd +0xb ^0003
    0x68946FA7 wow64.dll                      0x68931CF7 wow64cpu.dll         

    0x68957A54 wow64.dll                 RET  Wow64SystemServiceEx +0x244 ^01C7
                                              0x68946F94 wow64.dll            

    0x689A84E0 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155 ^00F9
                                              0x68946EA5 wow64.dll            

    0x689AF674 wow64win.dll            ~ RET  0x689A84DB wow64win.dll ^0152   

    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  772D3791 KernelBase.dll           VirtualAlloc +0x41

    2  57982533 mscorwks.dll            
                8bf0                     MOV          ESI, EAX
                85f6                     TEST         ESI, ESI
                7416                     JZ           0x5798254f
                66f745100010             TEST         WORD [EBP+0x10], 0x1000
                740e                     JZ           0x5798254f
                8b0d7022ee57             MOV          ECX, [0x57ee2270]
                85c9                     TEST         ECX, ECX
                0f85e0162700             JNZ          0x57bf3c2f
                8bc6                     MOV          EAX, ESI
                e866f2ffff               CALL         0x579817bc
                c21000                   RET          0x10

    3  5798256D mscorwks.dll            
    4  5798258B mscorwks.dll            
    5  57999145 mscorwks.dll            
    6  5799953E mscorwks.dll            
    7  57990214 mscorwks.dll            
    8  5799016A mscorwks.dll            
    9  579B5648 mscorwks.dll            
    10 579B5736 mscorwks.dll            

    Process Trace
    1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
    2  C:\Program Files\Internet Explorer\iexplore.exe [9968]
    3  C:\Windows\explorer.exe [7276]
    4  C:\Windows\System32\userinit.exe [6188]
    5  C:\Windows\System32\winlogon.exe [932]
    winlogon.exe

    Thumbprint
    284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908

  • Hi Sophos,

    Any update to this thread?

    As raised initially by poster, Exploit event was captured by EXP.

    This is flagged in SEC under the Exploit tab, shown in Exploit Count

    Further details are shown in the Computer Details log, under "Latest Exploit Prevention Events".

     

    Now how do I find out what action was done to this exploit. No RCA feature for this EXP variant.

     

    Thanks.

     

    Regards,

    Roy

  • Hello Roy et al.,

    what action was done
    usually the process will be terminated and subsequently blocked until reboot. AFAIK unlike Central SEC does not perform any actions - neither does it start a Sophos Clean scan nor conduct an RCA.

    Christian

  • Hi Roy,

    I believe the below thread will provide you more information this. One of our GES Engineers (handling virus and exploits) would have explained on the this.

    Exploit prevention type explanation

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.