Exploit Prevention Events Action

Hello vmacuanajr,

details can be found using View Computer Details (right-click on a computer), some detections also result in a entry in Resolve Alerts and Errors ... (can be used with multiple computers selected).

Christian

Hello Christian,

I view one computer details noticed that exploit was detected on wmplayer.exe what actions done by Sophos on this type of threat?   

Thanks,

vsmacuanajr

Hello vsmacuanajr,

sorry, apparently there isn't more information in the console (I don't yet have an additional EXP license so it was merely a guess and I should have said so).
Seems it just logs to the Windows Event Log, dunno if the action is recorded though. I assume it terminated the process.

Christian

No, an action isn't being logged in Windows event log.

Here is example from event log of a ROP mitigation event.

Mitigation   ROP

Platform     10.0.14393/x64 v583 06_4e
PID          13840
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

Callee Type  AllocateVirtualMemory
             0x1653C000 (4096 bytes)

Branch Trace                      Opcode  To                              
-------------------------------- -------- --------------------------------
0x57981802 mscorwks.dll              RET  0x57982511 mscorwks.dll ^008B   

0x57982479 mscorwks.dll              RET  0x57982579 mscorwks.dll ^00ED   

0x57990126 mscorwks.dll              RET  0x579901D9 mscorwks.dll ^0003   

0x579901A9 mscorwks.dll              RET  0x579901CC mscorwks.dll ^0006   

0x57990113 mscorwks.dll              RET  0x579901BD mscorwks.dll ^000A   

0x57990074 mscorwks.dll              RET  0x57990159 mscorwks.dll ^0001   

0x579900A7 mscorwks.dll              RET  0x57990073 mscorwks.dll ^0001   

0x57990083 mscorwks.dll              RET  0x579900A6 mscorwks.dll ^0001   

0x57984BAF mscorwks.dll              RET  0x57990082 mscorwks.dll ^0001   

0x579817CF mscorwks.dll              RET  0x57984BAF mscorwks.dll ^0004   

0x57984C21 mscorwks.dll              RET  0x57984C0E mscorwks.dll ^0004   

0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984C08 mscorwks.dll ^0002   

0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984BFB mscorwks.dll ^0002   

RtlTryEnterCriticalSection +0x2c     RET  0x57984BED mscorwks.dll ^0033   
0x77ABC8DC ntdll.dll                                                      

0x57984C34 mscorwks.dll              RET  0x57984C3A mscorwks.dll ^0001   

0x579843D7 mscorwks.dll              RET  0x57984C34 mscorwks.dll ^0001   

0x579817CF mscorwks.dll              RET  0x579843D7 mscorwks.dll ^0009   

0x5798438E mscorwks.dll              RET  0x579843D2 mscorwks.dll ^0338   

MsgWaitForMultipleObjects +0x77    ~ RET* 0x0010B7ED iexplore.exe ^0002   
0x74678EE7 user32.dll                                                     

GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x74 ^0057
0x7468D3B7 user32.dll                     0x74678EE4 user32.dll           

MsgWaitForMultipleObjects +0x1fc   ~ RET  MsgWaitForMultipleObjects +0x68 ^0002
0x7467906C user32.dll                     0x74678ED8 user32.dll           

GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x1f9 ^014C
0x7468D3B7 user32.dll                     0x74679069 user32.dll           

NtUserCallNoParam +0xc             ~ RET  MsgWaitForMultipleObjects +0x1d5 ^00E9
0x745824DC win32u.dll                     0x74679045 user32.dll           

Wow64SystemServiceEx +0x257        ~ RET  TurboDispatchJumpAddressEnd +0xb ^0003
0x68946FA7 wow64.dll                      0x68931CF7 wow64cpu.dll         

0x68957A54 wow64.dll                 RET  Wow64SystemServiceEx +0x244 ^01C7
                                          0x68946F94 wow64.dll            

0x689A84E0 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155 ^00F9
                                          0x68946EA5 wow64.dll            

0x689AF674 wow64win.dll            ~ RET  0x689A84DB wow64win.dll ^0152   

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  772D3791 KernelBase.dll           VirtualAlloc +0x41

2  57982533 mscorwks.dll            
            8bf0                     MOV          ESI, EAX
            85f6                     TEST         ESI, ESI
            7416                     JZ           0x5798254f
            66f745100010             TEST         WORD [EBP+0x10], 0x1000
            740e                     JZ           0x5798254f
            8b0d7022ee57             MOV          ECX, [0x57ee2270]
            85c9                     TEST         ECX, ECX
            0f85e0162700             JNZ          0x57bf3c2f
            8bc6                     MOV          EAX, ESI
            e866f2ffff               CALL         0x579817bc
            c21000                   RET          0x10

3  5798256D mscorwks.dll            
4  5798258B mscorwks.dll            
5  57999145 mscorwks.dll            
6  5799953E mscorwks.dll            
7  57990214 mscorwks.dll            
8  5799016A mscorwks.dll            
9  579B5648 mscorwks.dll            
10 579B5736 mscorwks.dll            

Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [9968]
3  C:\Windows\explorer.exe [7276]
4  C:\Windows\System32\userinit.exe [6188]
5  C:\Windows\System32\winlogon.exe [932]
winlogon.exe

Thumbprint
284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908

Hi Sophos,

Any update to this thread?

As raised initially by poster, Exploit event was captured by EXP.

This is flagged in SEC under the Exploit tab, shown in Exploit Count

Further details are shown in the Computer Details log, under "Latest Exploit Prevention Events".

Now how do I find out what action was done to this exploit. No RCA feature for this EXP variant.

Thanks.

Regards,

Roy

Hi Sophos,

Any update to this thread?

As raised initially by poster, Exploit event was captured by EXP.

This is flagged in SEC under the Exploit tab, shown in Exploit Count

Further details are shown in the Computer Details log, under "Latest Exploit Prevention Events".

Now how do I find out what action was done to this exploit. No RCA feature for this EXP variant.

Thanks.

Regards,

Roy

Hello Roy et al.,

what action was done
usually the process will be terminated and subsequently blocked until reboot. AFAIK unlike Central SEC does not perform any actions - neither does it start a Sophos Clean scan nor conduct an RCA.

Christian

Hi Roy,

I believe the below thread will provide you more information this. One of our GES Engineers (handling virus and exploits) would have explained on the this.

Exploit prevention type explanation