New InterceptX Users - need some guidance

Hello - 

 

We are new Sophos Cloud users and today after installing on a specific computer, we got a message come through about "Safe Browsing detected browser Internet Explorer has been compromised".  I did some searching around and found someone asking for EventID 911 in the Application log of the end user computer.  I did find an entry right at the time that we got the message and it is a HitmanPro.Alert.  The problem is that I do not know enough to read the log to know what triggered it or to determine if this is a false-positive or not.  Can anyone shed any light on the subject, please?

Thanks -

Tom

 

Intruder

PID 8604
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
CreateActCtxW
1 0x000000007702A170 kernel32.dll JMP 0x37010180
2 0x0000000037010180 wininet.dll

CreateFileW
1 0x0000000077020D10 kernel32.dll JMP 0x37010148
2 0x0000000037010148 wininet.dll

CreateProcessInternalW
1 0x000000007702DD20 kernel32.dll JMP 0x6fff00d8
2 0x000000006FFF00D8 ATL100.DLL

GetQueuedCompletionStatus
1 0x0000000077019980 kernel32.dll JMP 0x6fff0228
2 0x000000006FFF0228 ATL100.DLL

ReplaceFile
1 0x00000000770A43E0 kernel32.dll JMP 0x370101f0
2 0x00000000370101F0 wininet.dll

CreateWindowExW
1 0x00000000771407BC USER32.dll JMP 0x370101b8
2 0x00000000370101B8 wininet.dll

GetMessageA
1 0x0000000077146100 USER32.dll JMP 0x38d40d55
2 0x0000000038D40D55 wininet.dll

GetMessageW
1 0x0000000077149E74 USER32.dll JMP 0x38d40d14
2 0x0000000038D40D14 wininet.dll

PeekMessageA
1 0x00000000771439C0 USER32.dll JMP 0x38d40cd8
2 0x0000000038D40CD8 wininet.dll

PeekMessageW
1 0x0000000077148FF4 USER32.dll JMP 0x38d40c98
2 0x0000000038D40C98 wininet.dll

KiUserExceptionDispatcher
1 0x000000007727BC8A ntdll.dll JMP 0x38d40d96
2 0x0000000038D40D96 wininet.dll

LdrLoadDll
1 0x0000000077256130 ntdll.dll JMP 0x38d40e18
2 0x0000000038D40E18 wininet.dll

NtAllocateVirtualMemory
1 0x000000007727BEB0 ntdll.dll JMP 0x38d40f56
2 0x0000000038D40F56 wininet.dll

NtClose
1 0x000000007727BE20 ntdll.dll JMP 0x6fff0180
2 0x000000006FFF0180 ATL100.DLL

NtCreateFile
1 0x000000007727C280 ntdll.dll JMP 0x6fff0110
2 0x000000006FFF0110 ATL100.DLL

NtFreeVirtualMemory
1 0x000000007727BF10 ntdll.dll JMP 0x38d40f16
2 0x0000000038D40F16 wininet.dll

NtMapViewOfSection
1 0x000000007727BFB0 ntdll.dll JMP 0x38d40e96
2 0x0000000038D40E96 wininet.dll

NtOpenFile
1 0x000000007727C060 ntdll.dll JMP 0x6fff0148
2 0x000000006FFF0148 ATL100.DLL

NtProtectVirtualMemory
1 0x000000007727C230 ntdll.dll JMP 0x38d40ed6
2 0x0000000038D40ED6 wininet.dll

NtSetInformationFile
1 0x000000007727BFA0 ntdll.dll JMP 0x6fff01b8
2 0x000000006FFF01B8 ATL100.DLL

NtUnmapViewOfSection
1 0x000000007727BFD0 ntdll.dll JMP 0x38d40e56
2 0x0000000038D40E56 wininet.dll

NtWaitForDebugEvent
1 0x000000007727D610 ntdll.dll JMP 0x38d40fd6
2 0x0000000038D40FD6 wininet.dll

RtlInstallFunctionTableCallback
1 0x00000000772322B0 ntdll.dll JMP 0x38d40f95
2 0x0000000038D40F95 wininet.dll

recv
1 0x000007FEF2E91744 WSOCK32.dll JMP 0x7fefe5b0308
2 0x000007FEFE5B0308 (anonymous; svrltmgr.dll)

recvfrom
1 0x000007FEF2E917AC WSOCK32.dll JMP 0x7fefe5b03e8
2 0x000007FEFE5B03E8 (anonymous; svrltmgr.dll)

GetFileVersionInfoSizeW
1 0x000007FEFC3615FC version.DLL JMP 0x7febc3500d8
2 0x000007FEBC3500D8 (anonymous; USER32.dll)

GetFileVersionInfoW
1 0x000007FEFC361614 version.DLL JMP 0x7febc350110
2 0x000007FEBC350110 (anonymous; USER32.dll)

DecryptMessage
1 0x000007FEFCD751F4 SspiCli.dll JMP 0x7fefe5b01f0
2 0x000007FEFE5B01F0 (anonymous; svrltmgr.dll)

EncryptMessage
1 0x000007FEFCD750A0 SspiCli.dll JMP 0x7fefe5b0228
2 0x000007FEFE5B0228 (anonymous; svrltmgr.dll)

closesocket
1 0x000007FEFD3518E0 WS2_32.dll JMP 0x7fefe5b0260
2 0x000007FEFE5B0260 (anonymous; svrltmgr.dll)

connect
1 0x000007FEFD3542F0 WS2_32.dll JMP 0x7fefe5b0378
2 0x000007FEFE5B0378 (anonymous; svrltmgr.dll)

getaddrinfo
1 0x000007FEFD352720 WS2_32.dll JMP 0x7fefe5b0458
2 0x000007FEFE5B0458 (anonymous; svrltmgr.dll)

gethostbyaddr
1 0x000007FEFD3788F0 WS2_32.dll JMP 0x7fefe5b02d0
2 0x000007FEFE5B02D0 (anonymous; svrltmgr.dll)

gethostbyname
1 0x000007FEFD358AC0 WS2_32.dll JMP 0x7fefe5b0298
2 0x000007FEFE5B0298 (anonymous; svrltmgr.dll)

listen
1 0x000007FEFD357F60 WS2_32.dll JMP 0x7fefe5b0420
2 0x000007FEFE5B0420 (anonymous; svrltmgr.dll)

recv
1 0x000007FEFD35D9C0 WS2_32.dll JMP 0x7fefe5b0500
2 0x000007FEFE5B0500 (anonymous; svrltmgr.dll)

send
1 0x000007FEFD357CD0 WS2_32.dll JMP 0x7fefe5b0340
2 0x000007FEFE5B0340 (anonymous; svrltmgr.dll)

sendto
1 0x000007FEFD35DB50 WS2_32.dll JMP 0x7fefe5b03b0
2 0x000007FEFE5B03B0 (anonymous; svrltmgr.dll)

WSAGetOverlappedResult
1 0x000007FEFD3779E0 WS2_32.dll JMP 0x7fefe5b0538
2 0x000007FEFE5B0538 (anonymous; svrltmgr.dll)

WSARecv
1 0x000007FEFD352200 WS2_32.dll JMP 0x7fefe5b05e0
2 0x000007FEFE5B05E0 (anonymous; svrltmgr.dll)

WSARecvFrom
1 0x000007FEFD37E650 WS2_32.dll JMP 0x7fefe5b0618
2 0x000007FEFE5B0618 (anonymous; svrltmgr.dll)

WSASend
1 0x000007FEFD3513B0 WS2_32.dll JMP 0x7fefe5b0570
2 0x000007FEFE5B0570 (anonymous; svrltmgr.dll)

WSASendTo
1 0x000007FEFD35E7F0 WS2_32.dll JMP 0x7fefe5b05a8
2 0x000007FEFE5B05A8 (anonymous; svrltmgr.dll)

WSAStringToAddressA
1 0x000007FEFD379360 WS2_32.dll JMP 0x7fefe5b0490
2 0x000007FEFE5B0490 (anonymous; svrltmgr.dll)

WSAStringToAddressW
1 0x000007FEFD35ACF0 WS2_32.dll JMP 0x7fefe5b04c8
2 0x000007FEFE5B04C8 (anonymous; svrltmgr.dll)

SHExtractIconsW
1 0x000007FEFD6E84C8 shell32.DLL JMP 0x7febc350148
2 0x000007FEBC350148 (anonymous; USER32.dll)

EndDoc
1 0x000007FEFE9A8478 GDI32.dll JMP 0x7fefe5b0148
2 0x000007FEFE5B0148 (anonymous; svrltmgr.dll)

StartDocA
1 0x000007FEFE9A8748 GDI32.dll JMP 0x7fefe5b00d8
2 0x000007FEFE5B00D8 (anonymous; svrltmgr.dll)

StartDocW
1 0x000007FEFE9A890C GDI32.dll JMP 0x7fefe5b0110
2 0x000007FEFE5B0110 (anonymous; svrltmgr.dll)

URLDownloadToFileW
1 0x000007FEFEA25930 urlmon.dll JMP 0x7fef6640f98
2 0x000007FEF6640F98 netprofm.dll

CoCreateInstance
1 0x000007FEFF2A6D10 ole32.dll JMP 0x7fefe5b0180
2 0x000007FEFE5B0180 (anonymous; svrltmgr.dll)

CoCreateInstanceEx
1 0x000007FEFF28D870 ole32.dll JMP 0x7fefe5b01b8
2 0x000007FEFE5B01B8 (anonymous; svrltmgr.dll)

StgOpenStorageEx
1 0x000007FEFF3C7940 ole32.dll JMP 0x7febc350180
2 0x000007FEBC350180 (anonymous; USER32.dll)


Thumbprint
c521d6df731e2b5a75e232b9a971773a982a9853fe3ff85b8515bbad99ca2156

  • Hey Tom!

     

    It's really hard to say whether this was a false positive or not as we don't know what URL you were trying to reach when the detection was made. As we blocked the exploit attempt, there won't be any samples etc on the machine to use to verify.

    If you have a URL, please post it, and I would be totally happy to check with SophosLabs as to whether it is truly malicious or not and let you know their findigns. Otherwise, sadly, I don't think there's much more we can do in this instance.

  • In reply to SecBug:

    Hey SecBug - thanks a lot for the reply.  I will see if I can figure out what URL he was trying to hit when the alert came.  I do appreciate you taking the time to respond.

     

    Tom

  • In reply to Tom Weber:

    You're more than welcome. Get in touch if you do get hold of that URL! :)

  • Hi Tom,

    From the eventID details, this looks like a similar case I'm dealing with.

    Please confirm if you are using a employee monitoring software made by Veriato (www.veriato.com/ and if yes add a Policy Thumbprint for all browsers that report the Intruder alert to not get any more alerts.

    Veriato is injecting svrltmgr.dll into browser processes and this is why HMPA triggers the alert.

     

    Cheers

  • In reply to ZiggyEdman:

    We are getting the same error on 37 out of 400 workstations with a new install. I've looked at one of the pc's and can't see anything out of the ordinary

  • In reply to ZiggyEdman:

    This might actually be the case, I had this same issue too when using another eployee monitoring software by Wolfeye ( www.wolfeye.us ).

     

  • In reply to Malte Tiez:

    Hello  

    On the surface it may seem that it is a FP, you can do a combination of submitting the URL for review by Sophos Labs (Web Address (URL)), and also raise a support case to get the 911 event reviewed by the Support team further.

    If the Thumbprint value in the 911 event does not change this can be whitelisted provided that it has been proven to be a FP; however if the value changes each time, the Support team would need to review further to see how this detection should be whitelisted.