Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 8703 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CredGuard exploit prevention in 0patch Service

Jelle

I'm running 0patch for hot patching. After activating 'Active Adversary Mitigations' the 0patch Service is blocked mentioning "CredGuard" in the events on the PC itself.

Unfortunately in Sophos Central there is only reported that a malware is active or couldn't be cleaned.

Trying to create an exception I had to exclude the process as the exploit does not show up in the exploit list. But creating an exception for the process doesn't change the behaviour.

What can I do to create a working exception? Why does the exploit not show up in Sophos Central?

 

I should mention that I'm taking part in the EDR beta and have other versions installed. Maybe this is important.



This thread was automatically locked due to age.
  • 0

    For now I deactivated "CredGuard" in Active Adversary Mitigations. Now I don't get further warnings about an exploit but my computer stays "red" due to a recognized threat. Unfortunately Sophos Central doesn't give me the opportunity to do anything about this.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0

    Hi Jelle,

    Did you check the endpoint events in the Central Dashboard for the "CredGuard" detection? Can you enable remote assistance for your central account and PM me the License number so that I can have it checked for you?

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    Hi Gowtham,

     

    Mitja Kolsek of 0patch here. Please don't hesitate to reach out to me for resolving this issue. We can do some tests and help you pinpoint the problem.

     

    Cheers,

    Mitja

  • 0 in reply to Gowtham Mani

    Hi Gowtham,

     

    unfortunately nothing about this event shows up in the Central dashboards. Only my computer is marked as critical.

    I'm going to send you a PM. Thanks.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

Unfiltered HTML