Tamper Protection - When any Sophos process is attempted to be ended
Our PCI-DSS Level 1 audit has asked us to show logs when any attempt to kill any Sophos process is done. None can be found, despite Sophos Support claiming an event is logged in Event Viewer - no Event Source, Event ID or other information was provided to prove this is the case. An "Access Denied" Error is generated by tamper protection, that's nice. We have no proof that someone or something attempted to circumvent Sophos until it has actually be circumvented - alert in Sophos central that the computer is no longer protected, nor how long this attempt to circumvent has been underway. Like closing the barn doors after the cows have left.
- a malicious attacker (External actor or disgruntled employee) manages to gain access to a workstation or server via a legitimate path - Powershell WRM or Interactive console access - without triggering any other malicious payload alert by Sophos - an otherwise legit login to the targeted machine/environment (credentials obtained via phishing attack). Then the attacker attempts to stop Sophos. At the absolute minimum an audit log in the Windows Security Event Viewer log should be logged of the attempt, like any other access denied log windows generates for system events. This will allow administrators to see any potential attacks under way that have not otherwise triggered a malicious payload alert or even something in the Tamper Protection logs themselves and not just "Tamper Protection has been disabled". The logs can also be analyzed in real time by 3rd party monitoring platforms like SumoLogic that can correlate the data from the Windows Event Logs, that Sophos is simply not designed to do. And with appropriate setup, can be alerted with Real Time Alerts from the 3rd party monitoring platform or even Sophos Central if the attempt to kill any Sophos process is relayed back to Sophos Central alerting.
An attempt was made to access an object.
Security ID: ad\UserName (or Local System Account if accessed via System account)
Account Name: UserName
Account Domain: ad
Logon ID: 0xFFFFFFFF
Object Server: Security
Object Type: File
Object Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Handle ID: 0x0000
Resource Attributes: S:AI
Process ID: 0x000
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Access Request Information:
Outcome: Access Denied