We'd love to hear about it! Click here to go to the product suggestion community
On a commercial cloud server, I want to use two methods in my application to inject two DLLs into the address space of a second application.
The two methods are C++ calls to SetWindowsHookEx() and WriteProcessMemory() in my application.
What instructions do I give tech support at the cloud vendor, to set up Sophos, so that my DLL injections are not blocked by Sophos?
Do you know what mitigation this is alerted as? LoadLibrary? Have you confirmed there is a "detection" for this? If you create a trial of Sophos Central, install to a computer, run your app, if you get a detection, the details will be in the application event log (eventid 911) and the same details will be shown in Central in the details view. From there you can authorize it in various ways.
In reply to jak:
Thanks for your input.
I assume that Sophos is blocking the injection of DLLs, attempted by any of the three common Windows methods.
Please describe the method(s) of authorization, so that I can pass instructions to the tech staff at the cloud vendor.
In reply to Peter Gaczi:
You're probably better of testing this yourself end to end to see the workflows as it really depends on if and how the application is detected. There is a chance the different load module mitigations may fire differently if it's loadlibrary calls, reflective dll injection, etc.
It only takes a minute to create a Central account which is fully featured for 30 days at central.sophos.com. To protect a computer takes about 10 minutes. So in 15 mins you should be able to run your application and see what is detected and how you may want to document how your customer should exclude it.For example, you can create a global exclusion:https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ScanningExclusions.html
This method sends down a thumbprint to the endpoint to whitelist the detection based on the client making the detection.There is also file path as per:https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html
for more pro-active exclusions but then this excludes the process from all mitigations which maybe more than you would want to recommend as the thumbprint is more specific.It's a little more involved than say typical process/file exclusions for on-access/demand AV scanning where an exclusion is more generic.I think it's worth seeing how your application behaves when exploit mitigation is running as different types of applications have different mitigations applied to them. So depending on the process being injected into you might get different mitigation alerts.
Hope it helps.
Thanks for your input. The customer informed me that they are not using Sophos, after all.
Here are the links I found, in case someone has the same problem.