Known Issues with AMSI and IPS EAP (Updated 3 December 2019)

This document contains the list of currently known issues with the New Endpoint Protection Features in the Early Access Program for AMSI and IPS. The document will be updated if new issues are encountered or need clarification, or when issues are solved. 

Known Issues List for AMSI and IPS EAP - 2019-12-03.pdf

  • Hi, I ran some tests about trying to exploit Sophos endpoint with Metasploit Framework and such tests were successful, also, I had open a ticket detailing all the test steps.

     

    Basically Sophos EAP AMSI features and its addon base policies didn't detect the attacks, on the other hand, another try with the same method in a computer running with Windows Defender as endpoint and the process was detected and blocked successfully. All the policies related to the AMSI and Shellcode was enabled during the performed tests.

    The case opened was: #9418224

    How this is an important case, since the customer was passing by a security test made by a security service provider at the moment, I need urgently to resolve this issue about the exploit in order to keep Sophos as the protection brand on the customer. The attack surface is also described in the case above.

    Thanks in advance. 

  • In reply to Pedro Mosna:

    Hi Pedro,

    Thank you for sharing this info. I have been informed of this case, and have given advise to the team on how to proceed.

    It looks like we'll need to collect more information, as the SDU logs provided don't contain any information on the root cause.

    We think it is a very important case indeed for several reasons, so rest assured we keep following it up. Support be in touch with you shortly for further steps on collecting more information.

    Vince

  • In reply to Vincent Vanbiervliet:

    Ok, thanks Vince, I'll do the next tests do see what's coming next. I'll keep you informed.

  • In reply to Vincent Vanbiervliet:

    Vince, sorry for the delay, however, the improvements made by the dev team were proven to work now.

     

    With the good news, customer demanded that AMSI EAP had to be deployed to all desktops and computers in the network, however, a few computers presented BSOD after EAP modules were installed, specifically after the reboot.

     

    I have three Windows 10 PCs so far that presented this issue. Customer reported that more than these PCs have this same issue. So, looking in the Sophos Central Device's events, none OS files appear to be quarantined or deleted after the update. Is there any Windows OS requirement to install New Endpoint Protection Features (EAP)?

  • In reply to Pedro Mosna:

    Hi Pedro, 

    There are no specific Windows 10 system requirements, just make sure your version is on the list here

    Am I correct in stating that the issues only arise for machines that are in the EAP?

    Vince

  • In reply to Vincent Vanbiervliet:

    Vincent, thanks for the information regarding the retirement calendar for the OSs.

    Yes, is right to inform in this case that only Windows with EAP modules installed presented issues like BSOD during boot process. Just guessing, but maybe it has to do with application hashes through the process of boot or within the use of detoured?

     

  • In reply to Pedro Mosna:

    Pedro Mosna

    Vince, sorry for the delay, however, the improvements made by the dev team were proven to work now.

     

    With the good news, customer demanded that AMSI EAP had to be deployed to all desktops and computers in the network, however, a few computers presented BSOD after EAP modules were installed, specifically after the reboot.

     

    I have three Windows 10 PCs so far that presented this issue. Customer reported that more than these PCs have this same issue. So, looking in the Sophos Central Device's events, none OS files appear to be quarantined or deleted after the update. Is there any Windows OS requirement to install New Endpoint Protection Features (EAP)?

     

    I am new to this board so I hope jumping in here is not a problem. I too have experienced the BSOD on 2 Windows 10 1909 machines that I just installed the AMSI EAP additions to. One of the machines in question is my admin machine which as I said is Windows 10 1909 with OS Build 18363.592 and it has been running solidly up until yesterday. Yesterday afternoon I experienced 4 BSODs in less than an hour on this machine. To combat this problem I took the machine out of the EAP in the Central console and then restarted the computer. That restart occurred about 3pm EST yesterday and since then ithas not had a single BSOD. I also removed my other Windows 10 test machine which exhibited the problem from the program and reverted the Sophos software to the non-Beta version and it alos appears to be working properly again. The Sophos versions on both machines are; Core Agent 2.5.5, Endpoint Advanced 10.8.6.215, Sophos Intercept X 2.0.16. I have decided for now to wait for a production release of the software but if you need any further information about my experience please let me know.

  • In reply to EdPhethean:

    Hi,

    Welcome to the board. No problem jumping on here. It might be easier to follow-up when you post in the "Feedback & Issues" section though.

    Meanwhile: the reason is unlikely to be AMSI, since a BSOD usually is caused by kernel/driver code, which AMSI is not. However, never say never.

    Of course we would like to solve this issue. For that we would need to analyse a dump file. If it is possible for you, it would be great if you could add one machine back to the EAP until you have a BSOD. Then please open a support ticket. Support then can give you access to our FTP server to upload the dump file.

    Thanks,

    Vince

  • In reply to EdPhethean:

    EdPhethean, it's nice to have your feedback, I had the mission to return to Vincent with complete Windows 10 logs that could be analyzed by Sophos dev team in order to better understand the situation with EAP. However, I could not collect the logs from the customer who was having the issue until then.

     

    I wonder if, since you are having the same issue,  maybe you could provide complete BSOD logs to Vincent, for 3 to 5 PCs that had the problem after EAP installation. Sure that with these logs will help a lot of IT pros including you and me will benefit from it, with better software.

    If you can upload these dumps to Vincent, I'm sure that he will put great effort to analyze the issue as he did for a big problem that I had before this.

  • In reply to Pedro Mosna:

    Hi Pedro,

    Ed and I have been in contact, and he has already sent us a dump file which we're analysing.

    Vince

  • In reply to Vincent Vanbiervliet:

    Good news Vincent. Thank you