Exploit

Hello,

 

I am a new Sophos user and appreciate any help with this that you may be able to offer.  When starting up Chrome we get the following message:

 

"An attempt to exploit an application vulnerability was prevented"

 

I don't know it this is something legit with Chrome that Sophos is detecting as a possible malicious attempt, or if it is an exploit.  If it is malware, how do I remove it from the cpu, as the software scanning is not taking care of it?

 

Here are the details that are listed with the "intercepted attack" prompt:

 

Mitigation   Lockdown

 

Platform     10.0.17763/x64 v508 06_9e

PID          6788

Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Description  Google Chrome 75

 

Operation    SetValueKey

Key          \REGISTRY\USER\S-1-5-21-224820651-3658889247-3281666078-1001\Software\Microsoft\Windows\CurrentVersion\Run\

Value Name   GoogleChromeAutoLaunch_4E6299B33FA0592A57BB7C6E94F010D2

Value        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5

 

Process Trace

1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6788]

2  C:\Windows\explorer.exe [9408]

3  C:\Windows\System32\userinit.exe [13032]

4  C:\Windows\System32\winlogon.exe [12896]

C:\WINDOWS\System32\WinLogon.exe -SpecialSession

5  C:\Windows\System32\smss.exe [5980]

\SystemRoot\System32\smss.exe 000000fc 00000084 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

 

Thumbprint

d189073d28c1f44e5d23487b8948cc9fbca0145735aacf977438518b7e093e7a

Data based thumbprint

02dbe3586176e662b21a60b64f262d365befebf421bf1596c16cf7fc8d864fde

 

 

Thanks again for any help!

  • It doesn't look concerning.  It appears that Chrome is setting a registry key to ensure it starts automatically as you logon.

    This is the information most relevant:

    Operation    SetValueKey

    Key          \REGISTRY\USER\S-1-5-21-224820651-3658889247-3281666078-1001\Software\Microsoft\Windows\CurrentVersion\Run\

    Value Name   GoogleChromeAutoLaunch_4E6299B33FA0592A57BB7C6E94F010D2

    Value        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5

    This page: https://bugs.chromium.org/p/chromium/issues/detail?id=436504 kind of details the purpose of the key and that it's somehow related to the option of contuining where you left off.

    You can ignore this event or whitelist it in Sophos Central if that's the management platform you are using.  Are you using the business product or the free Home version

    Regards,

    Jak

  • In reply to jak:

    Thank you for your reply and help with this Jak!