False Positive C:\Windows\System32\svchost.exe CredGuard

I've had an alert this morning:


Is this a commonly known False Positive with regards to the EAP? Or could it be something more malicious?


Thanks in advance.

  • Hi Darren, 

    This is an issue we have seen for a few customers over the last couple days as well roll out the new version of Intercept X. 

    On the affected machine can you launch the Endpoint Self Help tool, if you select the Installed Components tab check what version of Sophos HitmanPro Alert you are using. If it is not the one ending in "727" then a reboot should fix the issue.

    If you are already using the "727" version then the fix is to login to Sophos Central, select the threat protection policy the endpoint is using, disable one of the exploit protections, doesn't really matter which one  as we will be turning it back on right away, I suggest "Protect media applications" though. Once disabled save the policy, then edit it again and turn the feature back on and click save a second time. This forces a policy refresh to go down to the endpoint and should fix the issue.

    Please let us know if this fixes it for you. thanks.

  • In reply to PeterM:

    Hi Peter,


    Thank you for your reply. I have the 727 version already istalled so have just completed your second suggestion. I'll post another update once this has updated on the machine and ran for a while to let you know if the issue is resolved.

    As a little aside to this, I've had another alert on this machine (another Credential Theft' alert) this time in the Microsoft Block Level Backup Engine Service (this is my laptop so I have it backup to an external HDD every Friday).

    I'm assuming the fix suggested above should resolve this issue too?



  • In reply to Darren Walkeden:

    While there is a chance we have detected a real Credential Theft I think for your situation it is all the same issue and yes it should be resolved by the same fix.

  • In reply to PeterM:

    Both of these seem to be sorted now thank you Pete. The Sophos agent is reporting 'No threats found' for both of these.