Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 9 subscribers
  • Views 2797 views
  • Users 0 members are here
Options
Suggested

Has anyone seen a false flag for "WIN-CAC-NET-CONNECTION-NO-CMDLINE-1.star"

bkatw0rk

I'm running into an issue where sophos flags dllhost.exe as suspicious because it runs with no command line arguments. That IS suspicious, my issue is that when I dug into it, that particular process ID it flags on my end does have a command line argument but only if I run process explorer as admin, if I run it with user rights, I see a blank command line argument. I THINK this is what is causing the false flag in sophos central. 

I'm wondering if anyone else has come across this and can shed some light on it? Does sophos run with admin credentials? 

BELOW IS USER

BELOW IS ADMIN

I've attached some images showing what I mean.

Thanks in advance! 



Edited tags
[edited by: Gladys at 8:04 AM (GMT -7) on 27 Jun 2023]
  • 0

    Hi bkatw0rk,

    Thanks for reaching out to the Sophos Community Forum. 

    When you run the command as a non-administrator, does the command execute successfully? Could this be why further details are not shown? 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hey Qoosh, I appreciate the reply! Its not that I'm running any sort of command, this is an automated process. svchost launches dllhost, in the case above, this particular launching of dllhost (pid: 3456) by windows is repledged, so even when logged in as an admin and viewing the process, the command line is blank. Only when you specifically escalate out of the "user" profile (even if its an admin user) do you get to see the actual command line running here. 

    So my thought process is if I have to escalate manually to see it, even as an admin, sophos, even with proper admin rights provided, would likely need to as well. So sophos simply does not have the rights to view this command line, and falsely marks it as blank, when in all reality, it is not blank.

Unfiltered HTML