CredGuard False Positive on Dell Computers (CmgShieldSvc.exe)

Hello. I have come across what seems to be a false positive on a Credant (now Dell) Mobile Guardian Shield executable on multiple machines. These are all on the CIXv2 beta. 

What happened: We prevented credential theft in Encryption Service

Path: C:\Windows\System32\CmgShieldSvc.exe

What was detected: CredGuard

How severe it is: High

What Sophos has done so far: We prevented the credential theft and ran a scan to clean up the computer.

What you need to do: Investigate the cause of the alert. When you are sure the system is clean, acknowledge the alert.

 

It looks to be the case that we cannot currently add an exclusion for the CredGuard component of detection.

Please confirm the next steps. Should we send in a sample to SophosLabs? Will an upcoming UI change allow for CredGuard exclusions?

 

Thanks,

Ben

  • Can you post the Windows Application event log entry in full from a couple of these detections?  It's a 911 event ID.

    Thanks.

  • Since this latest Intercept X Major Release, I have been getting a significant amount of CredGuard hits that are almost definitely False Positives. In a one-hour time-frame, I had multiple hits on Mystify Screen Saver, SlingPlayerForWeb, Performs virus scanning and disinfection functions, Windows Modules Installer Worker, and Sophos Clean. Two of these programs appear to be Sophos' own applications that are getting flagged as problem programs. I think maybe a bit more testing should have gone into this release.

  • In reply to jak:

    0537.Event911.txt
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          1/24/2018 11:17:53 AM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      REDACTED
    Description:
    Mitigation   CredGuard
    
    Platform     6.1.7601/x64 v727 06_45
    PID          484
    Application  C:\Windows\System32\CmgShieldSvc.exe
    Description  Encryption Service 8.5
    
    \REGISTRY\MACHINE\SAM\SAM\Domains\Account
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-01-24T19:17:53.000000000Z" />
        <EventRecordID>46225</EventRecordID>
        <Channel>Application</Channel>
        <Computer>REDACTED</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\System32\CmgShieldSvc.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     6.1.7601/x64 v727 06_45
    PID          484
    Application  C:\Windows\System32\CmgShieldSvc.exe
    Description  Encryption Service 8.5
    
    \REGISTRY\MACHINE\SAM\SAM\Domains\Account
    </Data>
      </EventData>
    </Event>

  • In reply to Brock Warren:

    Hi Brock,

    Sorry to hear that you are having problems. We now have over 10,000 endpoints on the GA version (including a few thousand endpoints of our internal systems running the new version a few weeks), and we are not getting reports of CredGuard False Positives. So we definetely want to understand why you are seeing issues. 

    Have the machines you are seeing the issues been rebooted since the upgrade? 

    If yes can you please, on the endpoint UI, check the components versions: About > Run Diagnostic Tool > Installed Components:

     

    Your version of Sophos HitmanPro.Alert should be 3.7.3.727. If it is not please reboot. 

     

    Let us know if the problem persists.

     

    Thanks

    Pedro