This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event 911 - Mitigation DEP - Is this something we need to investigate?

Hello there!

 

Today we had a user who had their outlook closed as a pop up from sophos told them a notification mentioning DEP. The user lost data as the draft emails they were typing got lost as well (while they were typing them).

 

I have found in the EVENT Logs this event:

Mitigation   DEP

Platform     10.0.16299/x64 v732 06_8e
PID          11744
Application  C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Description  Microsoft Outlook 16

EIP     = 0x13B251E0 : (anonymous)+0x5651E0
State   = 0x00001000
Type    = 0x00020000
Protect = 0x00000004

 

13B251E0 8C           DB 0x8c
13B251E1 755D         JNZ 0x13b25240
13B251E3 40           INC EAX
13B251E4 0100         ADD [EAX], EAX
13B251E6 0000         ADD [EAX], AL
13B251E8 0000         ADD [EAX], AL
13B251EA 0000         ADD [EAX], AL
13B251EC 0000         ADD [EAX], AL
13B251EE 0000         ADD [EAX], AL
13B251F0 0000         ADD [EAX], AL
13B251F2 0000         ADD [EAX], AL
13B251F4 0000         ADD [EAX], AL
13B251F6 0000         ADD [EAX], AL
13B251F8 0000         ADD [EAX], AL
13B251FA 0000         ADD [EAX], AL
13B251FC 0000         ADD [EAX], AL

Process Trace
1  C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11744]
2  C:\Windows\explorer.exe [9316]
3  C:\Windows\System32\userinit.exe [7264]

Thumbprint
93e57b556a252b2fde83c0ddd219f17a43fefa2d9ee08fcb0cb675c480efc904

Log Name: Application

Source: HitmanPro.Alert

Event ID:911

 

Any thoughts as to how we can prevent this? or what to check?

Thank you!

N@

 

 

****************UPDATE 11/04/2018***************

Product version number: Sophos Intercept X 2.0.2

We only have Intercept X not the endpoint software.

This happened on a machine which was built in the last couple of weeks so any Sophos fixes which have been released before then should be on the machine.



This thread was automatically locked due to age.