Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I know about the SophosTester, HighScore, FakeDrop, sophostest.com and MTD.vbs.
How can we test the IPS and how should an IPS detection look like?
Excellent question. I will post an article on how to test IPS later today.
See https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/116135/how-to-test-ips for how to test IPS.
In reply to Vincent Vanbiervliet:
What about if the test doesn't trigger any detection?
I've disabled the windows firewall, tried the script both without argument and in server mode.I can see the connection coming in like "nc" style on the sever side. No alert on sophos endpoint
The version installed is:
In reply to Fabio Puricelli:
Hi Fabio, that is really weird. You seem to have to correct Core Agent version.
There are two obvious things we can check:
the machine was added to eap list of machine partecipating. I though the "BETA" version in the core agent line was exactly stating that.
The screenshot has been taken exactly from that machine. why are you saying "if that screenshot is from the client that doesn't do the detection, then that seems to be the case"?
The ips feature was not changed as tamper protection is in place. Anyway, I've checked and it appears to be in place.
Thanks for your answer!
As for the IPS setting, I was referring to the setting in Central. It is possible you've disabled it here:
I will check what we can do, and will come back to you.
that make sense but unfortunately that's not the problem:
Any other idea?
I've sent you a PM.
Please can you advise which OS you are running on the machine in question?
In reply to StephenMcKay:
Hi Stephen, sure. Here it is:
Hi any thoughts on this?
Please can you send me details of the Threat Protection policy via PM? Please include all of the settings, not just the IPS settings.
I also can't get an alert. I've tested outgoing using the sample Python script as follows:
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type tcpsending TCP test pattern to ipstest.sophostest.com:54445
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type udpsending UDP test pattern to ipstest.sophostest.com:54445
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type icmpsending ICMP test pattern to ipstest.sophostest.com:54445
I see the packets going out in Wireshark:
I can see under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlagsips.availableips.filter.inboundips.filter.outbound
are all set to 1.In:C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\policy.xml
<ips> <enabled>true</enabled> <exclusions/> </ips>
C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS\system.rules
drop tcp any any -> any 54445 (msg:"FILE-OTHER EP-IPS TCP Test Passed"; file_data;dsize:33; content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777000;)drop udp any any -> any 54445 (msg:"FILE-OTHER EP-IPS UDP Test Passed"; file_data;dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777001;)drop icmp any any -> any any (msg:"FILE-OTHER EP-IPS ICMP Test Passed"; file_data; dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777002;)
The conent looks good and so does the length of 33.
The log of NTP says:a 2019-12-21T00:00:00.870Z [18784:5384] - IPS feature flags updated, ips.available: enabled, ips.filter.inbound: enabled, ips.filter.outbound: enabled
a 2019-12-21T00:00:01.465Z [18784:16604] - By policy and feature flags, IPS is enableda 2019-12-21T00:00:06.815Z [18784:10432] - Snort DAQ commencing interception: PID  CompID a 2019-12-21T00:00:06.822Z [18784:18796] - Setting Snort health status to GREEN
Processes look good:
I also tried the 'server' and 'client' mode of the script using the IP address of the interface and 127.0.0.1, e.g.ServerC:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -s -a 192.168.0.41TCP server listening on 192.168.0.41:54445received connection from 192.168.0.41:2404
ClientPS C:\Python38-32> .\python.exe C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -a 192.168.0.41 --type tcpsending TCP test pattern to 192.168.0.41:54445
No alert there either in Sophos UI or in the SntpService.log.
Bit of a loss.
P.S. As the AMSI features is in the same EAP as IPS; the following PS command will test the AMSI feature throwing a detection:[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').getField('amsiinitfailed','nonpublic,static').setvalue($null,$true)Application Event log:
Log Name: ApplicationSource: Sophos System ProtectionEvent ID: 42Task Category: Virus/spywareLevel: WarningDescription:Process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" belongs to virus/spyware 'AMSI/Bypass-A'.$programdata%\Sophos\Endpoint Defense\Logs\SSP.log:I 2019-12-22T11:44:36.292Z Process with path C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe detected as AMSI/Bypass-A
In reply to jak:
Hi jak - we'll look into it. Can you get an SDU please.