Endpoint Protection

Suggest, discuss, and vote on new ideas for Sophos Endpoint Protection. Comprehensive security for users and data

Suggest an Idea...

Tamper Protection - When any Sophos process is attempted to be ended

Our PCI-DSS Level 1 audit has asked us to show logs when any attempt to kill any Sophos process is done. None can be found, despite Sophos Support claiming an event is logged in Event Viewer - no Event Source, Event ID or other information was provided to prove this is the case. An "Access Denied" Error is generated by tamper protection, that's nice. We have no proof that someone or something attempted to circumvent Sophos until it has actually be circumvented - alert in Sophos central that the computer is no longer protected, nor how long this attempt to circumvent has been underway. Like closing the barn doors after the cows have left.

Use Case:
- a malicious attacker (External actor or disgruntled employee) manages to gain access to a workstation or server via a legitimate path - Powershell WRM or Interactive console access - without triggering any other malicious payload alert by Sophos - an otherwise legit login to the targeted machine/environment (credentials obtained via phishing attack). Then the attacker attempts to stop Sophos. At the absolute minimum an audit log in the Windows Security Event Viewer log should be logged of the attempt, like any other access denied log windows generates for system events. This will allow administrators to see any potential attacks under way that have not otherwise triggered a malicious payload alert or even something in the Tamper Protection logs themselves and not just "Tamper Protection has been disabled". The logs can also be analyzed in real time by 3rd party monitoring platforms like SumoLogic that can correlate the data from the Windows Event Logs, that Sophos is simply not designed to do. And with appropriate setup, can be alerted with Real Time Alerts from the 3rd party monitoring platform or even Sophos Central if the attempt to kill any Sophos process is relayed back to Sophos Central alerting.

Example Log:

An attempt was made to access an object.

Subject:
Security ID: ad\UserName (or Local System Account if accessed via System account)
Account Name: UserName
Account Domain: ad
Logon ID: 0xFFFFFFFF

Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Handle ID: 0x0000
Resource Attributes: S:AI

Process Information:
Process ID: 0x000
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe

Access Request Information:
Accesses: EndTask
Outcome: Access Denied

1 vote
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Patrick Dufresne shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.