Not sure whether this is the correct forum as we are using Exploit protection on Sophos Enterprise Console. From what I understand, its the same product.
We have pushed out exploit protection and 40 pc's are coming back with alerts for iexplorer.exe of type "Intruder" but there's not much other information than that.
Any ides?
Hi Jak,
here it is:
Intruder
PID 4912
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11
Detour Report
# Address Owner Disassembly
-- ---------- ------------------------ ------------------------
GetFileVersionInfoSizeW
1 0x745219D9 version.DLL JMP 0x7504457c
2 0x7504457C SOPHOS~1.DLL
GetFileVersionInfoW
1 0x745219F4 version.DLL JMP 0x7504455e
2 0x7504455E SOPHOS~1.DLL
accept
1 0x7582B9B7 WS2_32.dll JMP 0x75045682
2 0x75045682 SOPHOS~1.DLL
bind
1 0x75824582 WS2_32.dll JMP 0x75045663
2 0x75045663 SOPHOS~1.DLL
closesocket
1 0x75823918 WS2_32.dll JMP 0x75045644
2 0x75045644 SOPHOS~1.DLL
connect
1 0x758268F5 WS2_32.dll JMP 0x75045625
2 0x75045625 SOPHOS~1.DLL
getpeername
1 0x75826E5F WS2_32.dll JMP 0x75045606
2 0x75045606 SOPHOS~1.DLL
listen
1 0x7582E977 WS2_32.dll JMP 0x750455e7
2 0x750455E7 SOPHOS~1.DLL
recv
1 0x75826826 WS2_32.dll JMP 0x750455c8
2 0x750455C8 SOPHOS~1.DLL
send *
1 0x75826C19 WS2_32.dll JMP 0x750455a9
2 0x750455A9 SOPHOS~1.DLL
WSASocketA
1 0x7582E562 WS2_32.dll JMP 0x750456c0
2 0x750456C0 SOPHOS~1.DLL
WSAStartup
1 0x75823AB2 WS2_32.dll JMP 0x750456a1
2 0x750456A1 SOPHOS~1.DLL
CreateWindowExW
1 0x7586EC44 user32.DLL JMP 0x7504943c
2 0x7504943C SOPHOS~1.DLL
SHExtractIconsW
1 0x75CF5803 shell32.DLL JMP 0x7504490d
2 0x7504490D SOPHOS~1.DLL
CreateActCtxW
1 0x76865935 kernel32.dll JMP 0x75048f40
2 0x75048F40 SOPHOS~1.DLL
CreateFileA
1 0x7686EC81 kernel32.dll JMP 0x750459a8
2 0x750459A8 SOPHOS~1.DLL
CreateFileW
1 0x7686EAC5 kernel32.dll JMP 0x7504948b
2 0x7504948B SOPHOS~1.DLL
CreateProcessA
1 0x76822082 kernel32.dll JMP 0x63cc0000
2 0x63CC0000 (anonymous; user32.DLL)
CreateProcessInternalA
1 0x7687CB0C kernel32.dll JMP 0x64680000
2 0x64680000 (anonymous; user32.DLL)
ExitProcess
1 0x7687BE52 kernel32.dll JMP 0x7504594b
2 0x7504594B SOPHOS~1.DLL
FreeLibrary
1 0x7686F187 kernel32.dll JMP 0x7504953d
2 0x7504953D SOPHOS~1.DLL
GetProcAddress
1 0x7686CEBC kernel32.dll JMP 0x7504590d
2 0x7504590D SOPHOS~1.DLL
GetThreadContext
1 0x76888E44 kernel32.dll JMP 0x750458ee
2 0x750458EE SOPHOS~1.DLL
GlobalAlloc
1 0x7686A37D kernel32.dll JMP 0x750458cf
2 0x750458CF SOPHOS~1.DLL
LoadLibraryA
1 0x7686DE85 kernel32.dll JMP 0x74020000
2 0x74020000 (anonymous; user32.DLL)
LoadLibraryExA
1 0x768646BE kernel32.dll JMP 0x6ea30000
2 0x6EA30000 (anonymous; user32.DLL)
LoadLibraryExW
1 0x768652D1 kernel32.dll JMP 0x497b0000
2 0x497B0000 (anonymous; user32.DLL)
LoadLibraryW
1 0x7686F162 kernel32.dll JMP 0x66470000
2 0x66470000 (anonymous; user32.DLL)
ReplaceFile
1 0x76881978 kernel32.dll JMP 0x75048fbe
2 0x75048FBE SOPHOS~1.DLL
SetThreadContext
1 0x768B10EB kernel32.dll JMP 0x75045834
2 0x75045834 SOPHOS~1.DLL
VirtualProtect
1 0x76862E25 kernel32.dll JMP 0x6d010000
2 0x6D010000 (anonymous; user32.DLL)
VirtualProtectEx
1 0x768B0571 kernel32.dll JMP 0x3c310000
2 0x3C310000 (anonymous; user32.DLL)
WinExec
1 0x768AF536 kernel32.dll JMP 0x660a0000
2 0x660A0000 (anonymous; user32.DLL)
WriteFile
1 0x76875616 kernel32.dll JMP 0x750457b8
2 0x750457B8 SOPHOS~1.DLL
WriteFileEx
1 0x7688579D kernel32.dll JMP 0x75045799
2 0x75045799 SOPHOS~1.DLL
WriteProcessMemory
1 0x7688980F kernel32.dll JMP 0x7504577a
2 0x7504577A SOPHOS~1.DLL
InternetOpenA
1 0x76B12A80 WININET.dll JMP 0x7504573c
2 0x7504573C SOPHOS~1.DLL
InternetOpenUrlA *
1 0x76BB6240 WININET.dll JMP 0x7504571d
2 0x7504571D SOPHOS~1.DLL
InternetQueryDataAvailable
1 0x76AE2C00 WININET.dll JMP 0x750456fe
2 0x750456FE SOPHOS~1.DLL
InternetReadFile *
1 0x76AE24B0 WININET.dll JMP 0x750456df
2 0x750456DF SOPHOS~1.DLL
StgOpenStorageEx
1 0x76E96C22 ole32.dll JMP 0x7503546b
2 0x7503546B SOPHOS~1.DLL
KiFastSystemCall
1 0x77206C70 ntdll.dll CLD
JMP 0x77206c81
2 0x77206C81 ntdll.dll JMP 0x745a1b9d
3 0x745A1B9D hmpalert.dll
LdrLoadDll
1 0x77222133 ntdll.dll JMP 0x7504575b
2 0x7504575B SOPHOS~1.DLL
RtlExitUserThread
1 0x771EF515 ntdll.dll JMP 0x7504592c
2 0x7504592C SOPHOS~1.DLL
Thumbprint
30bc4126c4f83c42ed591692fefd36251050e000168ae1402ff244a4a77dfbbc
Thanks,
Are you able to reproduce the problem on demand on these computers or does it appear to happen randomly?
Also, if you look at the event log entry for a couple of clients, is the thumbprint value the same?
What version of the hmpalert.sys driver is loaded? The file is under: \windows\system32\drivers\hmpalert.sys. I wonder if the 588 version fixes this:
https://www.hitmanpro.com/en-us/whatsnewalert.aspx
Regards,
Jak
Hi, the thumbprint isn't the same as here is another one:
Intruder
PID 5952
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11
Detour Report
# Address Owner Disassembly
-- ---------- ------------------------ ------------------------
GetFileVersionInfoSizeW
1 0x74D519D9 version.DLL JMP 0x7587457c
2 0x7587457C SOPHOS~1.DLL
GetFileVersionInfoW
1 0x74D519F4 version.DLL JMP 0x7587455e
2 0x7587455E SOPHOS~1.DLL
accept
1 0x75C3B9B7 WS2_32.dll JMP 0x75875682
2 0x75875682 SOPHOS~1.DLL
bind
1 0x75C34582 WS2_32.dll JMP 0x75875663
2 0x75875663 SOPHOS~1.DLL
closesocket
1 0x75C33918 WS2_32.dll JMP 0x75875644
2 0x75875644 SOPHOS~1.DLL
connect
1 0x75C368F5 WS2_32.dll JMP 0x75875625
2 0x75875625 SOPHOS~1.DLL
getpeername
1 0x75C36E5F WS2_32.dll JMP 0x75875606
2 0x75875606 SOPHOS~1.DLL
listen
1 0x75C3E977 WS2_32.dll JMP 0x758755e7
2 0x758755E7 SOPHOS~1.DLL
recv
1 0x75C36826 WS2_32.dll JMP 0x758755c8
2 0x758755C8 SOPHOS~1.DLL
send *
1 0x75C36C19 WS2_32.dll JMP 0x758755a9
2 0x758755A9 SOPHOS~1.DLL
WSASocketA
1 0x75C3E562 WS2_32.dll JMP 0x758756c0
2 0x758756C0 SOPHOS~1.DLL
WSAStartup
1 0x75C33AB2 WS2_32.dll JMP 0x758756a1
2 0x758756A1 SOPHOS~1.DLL
StgOpenStorageEx
1 0x75D06C22 ole32.dll JMP 0x7586546b
2 0x7586546B SOPHOS~1.DLL
CreateActCtxW
1 0x76585935 kernel32.dll JMP 0x75878f40
2 0x75878F40 SOPHOS~1.DLL
CreateFileA
1 0x7658EC81 kernel32.dll JMP 0x758759a8
2 0x758759A8 SOPHOS~1.DLL
CreateFileW
1 0x7658EAC5 kernel32.dll JMP 0x7587948b
2 0x7587948B SOPHOS~1.DLL
CreateProcessA
1 0x76542082 kernel32.dll JMP 0x476a0000
2 0x476A0000 (anonymous; user32.DLL)
CreateProcessInternalA
1 0x7659CB0C kernel32.dll JMP 0x56f20000
2 0x56F20000 (anonymous; user32.DLL)
ExitProcess
1 0x7659BE52 kernel32.dll JMP 0x7587594b
2 0x7587594B SOPHOS~1.DLL
FreeLibrary
1 0x7658F187 kernel32.dll JMP 0x7587953d
2 0x7587953D SOPHOS~1.DLL
GetProcAddress
1 0x7658CEBC kernel32.dll JMP 0x7587590d
2 0x7587590D SOPHOS~1.DLL
GetThreadContext
1 0x765A8E44 kernel32.dll JMP 0x758758ee
2 0x758758EE SOPHOS~1.DLL
GlobalAlloc
1 0x7658A37D kernel32.dll JMP 0x758758cf
2 0x758758CF SOPHOS~1.DLL
LoadLibraryA
1 0x7658DE85 kernel32.dll JMP 0x55ec0000
2 0x55EC0000 (anonymous; user32.DLL)
LoadLibraryExA
1 0x765846BE kernel32.dll JMP 0x59320000
2 0x59320000 (anonymous; user32.DLL)
LoadLibraryExW
1 0x765852D1 kernel32.dll JMP 0x68ee0000
2 0x68EE0000 (anonymous; user32.DLL)
LoadLibraryW
1 0x7658F162 kernel32.dll JMP 0x64190000
2 0x64190000 (anonymous; user32.DLL)
ReplaceFile
1 0x765A1978 kernel32.dll JMP 0x75878fbe
2 0x75878FBE SOPHOS~1.DLL
SetThreadContext
1 0x765D10EB kernel32.dll JMP 0x75875834
2 0x75875834 SOPHOS~1.DLL
VirtualProtect
1 0x76582E25 kernel32.dll JMP 0x571c0000
2 0x571C0000 (anonymous; user32.DLL)
VirtualProtectEx
1 0x765D0571 kernel32.dll JMP 0x3ecd0000
2 0x3ECD0000 (anonymous; user32.DLL)
WinExec
1 0x765CF536 kernel32.dll JMP 0x5af10000
2 0x5AF10000 (anonymous; user32.DLL)
WriteFile
1 0x76595616 kernel32.dll JMP 0x758757b8
2 0x758757B8 SOPHOS~1.DLL
WriteFileEx
1 0x765A579D kernel32.dll JMP 0x75875799
2 0x75875799 SOPHOS~1.DLL
WriteProcessMemory
1 0x765A980F kernel32.dll JMP 0x7587577a
2 0x7587577A SOPHOS~1.DLL
CreateWindowExW
1 0x7673EC44 user32.DLL JMP 0x7587943c
2 0x7587943C SOPHOS~1.DLL
SHExtractIconsW
1 0x76A05803 shell32.DLL JMP 0x7587490d
2 0x7587490D SOPHOS~1.DLL
InternetOpenA
1 0x775F2A80 WININET.dll JMP 0x7587573c
2 0x7587573C SOPHOS~1.DLL
InternetOpenUrlA *
1 0x77696240 WININET.dll JMP 0x7587571d
2 0x7587571D SOPHOS~1.DLL
InternetQueryDataAvailable
1 0x775C2C00 WININET.dll JMP 0x758756fe
2 0x758756FE SOPHOS~1.DLL
InternetReadFile *
1 0x775C24B0 WININET.dll JMP 0x758756df
2 0x758756DF SOPHOS~1.DLL
KiFastSystemCall
1 0x77A36C70 ntdll.dll CLD
JMP 0x77a36c81
2 0x77A36C81 ntdll.dll JMP 0x74dd1b9d
3 0x74DD1B9D hmpalert.dll
LdrLoadDll
1 0x77A52133 ntdll.dll JMP 0x7587575b
2 0x7587575B SOPHOS~1.DLL
RtlExitUserThread
1 0x77A1F515 ntdll.dll JMP 0x7587592c
2 0x7587592C SOPHOS~1.DLL
Thumbprint
7f5f16e0e99b71c4a2ce61d4b375c81391721139555d1c99d3fa3cd1b59c5792
