This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malicious Traffic Detection now blocking UDP packets...

Something changed within the last few weeks. I use several programmes to control DMX lights with UDP packets. Now i find that malicious traffic detection is silently blocking them.

Are there no log files??? there is nothing in C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs

There is nothing in the web client (central) for the machine. There is nothing in general event logs.

the only reason i know this is the problem is that when i turn off that component locally, the UDP packet sending programme works. I can also get it working on freshly imaged machine with no virus scanner.

Can we have some logging please, or let me know where it is. I would expect that if something was blocked by the virus scanner, that it would LET ME KNOW IN SOME WAY, as opposed to silently failing and not being logged ANYWHERE.

FYI one of the programmes that I am using is udpsz.exe which you can download from this guy here to demonstrate yourself. http://aluigi.altervista.org/testz.htm , but it also effects some of our building automation software that runs in java.

am i missing where this logging location is for malicious traffic detection? let me know and i can look at those logs and hopefully whitelist this completely acceptable behaviour in my environment.

TO FIX: i had to create a secondary policy and apply it just to the one server who sends the UDP packets with malicious traffic detection set to off.

This thread was automatically locked due to age.

Parents

QC over 6 years ago

Hello givemecontrol,

Something changed
workstation or server? According to the Release Notes the NTP/MTD version hasn't changed for Endpoint, only for Server.

I'm using the on-premise SESC and NTP is still 1.2.2 so I can't test. Unless the FAQs are out of date MTD does not block packets but instruct HIPS to terminate the process, nevertheless interventions should be logged. Perhaps the verbose MTD log would give some insight.

Please note that you can make exclusions - this might be preferable to turning MTD off completely.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
givemecontrol over 6 years ago in reply to QC

This particular problem first manifested on a machine classified as "server" and using server policies.

But yes it also exists when running that program on workstations.

Exclusions do not work in this case as i would have to exclude java.exe, javavm.exe . Now do you think its a good idea to do that company wide ? :P

And actually i tried to exclude the small udpsz.exe application and it doesnt work. I have excluded other tools such as pskill before, so the exclusion system i think works, just not for this.

I have enabled verbose logging. FYI the instructions say to restart the service, however that is not possible (Everything greyed out), so really you have to restart the pc.

I only see one entry in the log, no matter how many times i run the program. new entries are not generated and the programme does not work to send the udp packet.

i 2018-09-25T16:01:53.524Z [3844:5096] - Exclusion 4: udpsz.exe [SntpController.cpp:74 driver::SntpController::setExclusions]

The only way to get it to work is to disable the "malicious traffic detection" component under sophos -> settings -> runtime protection.

It does not seem that it is logging these blocks at all, even with verbose logging on (option 4 in the registry key).

But i am not clear on why you cant reproduce? i mean i guess you have no target to send the UDP packet to verify that it is sending correctly. But maybe something like wireshark to observe the packets not coming out when malicious traffic detection is on?
Cancel
Vote Up 0 Vote Down

Cancel
QC over 6 years ago in reply to givemecontrol

Hello givemecontrol,

why you cant reproduce?
first and foremost: I'm not Sophos or someone else who provides support on behalf of Sophos. Furthermore I use the on-premise SESC, not Central. Both the MTD version and its management are different.

Exclusions do not work
the FAQs suggest that exclusions can be set specifically for MTD (pskill wouldn't trigger an MTD) but as I'm not familiar with Central Admin I can't verify this. Anyway, Exclusion 4: udpsz.exe suggests the exclusion is processed. If the process continues to run or terminates gracefully then very likely MTD hasn't intervened - there might be some adverse interaction.

[service restart] is not possible
likely due to Tamper Protection.

wireshark to observe the packets not coming outas Wireshark monitors the interfaces it could only confirm that no packets make it to the adapter - something you already know. If no packet arrives it can't tell you why though.
MTD uses the WFP. Can't imagine though that it would quietly discard UDP packets (and leave the process alone).
The WFP provides auditing that is disabled by default. If enabled Security Events associated with udpsz.exe should be created. As there will be lots of unrelated events a Custom XML View like the one below is perhaps a good idea:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='Application'] and (Data='\complete\path\to\udpsz.exe')]] </Select> </Query> </QueryList>

This might tell what happens to the packet (or the application's communication attempt).

Exclusions
as said, I'm not familiar with Central. Would be strange that you'd have to exclude an application from AV scanning as well if you just want to exclude it from MTD. I didn't suggest to make AV real-time exclusions for Java.

As even the verbose log doesn't give a hint I can't speculate what could be the cause. Other applications (DNS, streaming, ...) also use UDP and I assume they work. Thus I think you have to contact Support.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

QC over 6 years ago in reply to givemecontrol

Hello givemecontrol,

why you cant reproduce?
first and foremost: I'm not Sophos or someone else who provides support on behalf of Sophos. Furthermore I use the on-premise SESC, not Central. Both the MTD version and its management are different.

Exclusions do not work
the FAQs suggest that exclusions can be set specifically for MTD (pskill wouldn't trigger an MTD) but as I'm not familiar with Central Admin I can't verify this. Anyway, Exclusion 4: udpsz.exe suggests the exclusion is processed. If the process continues to run or terminates gracefully then very likely MTD hasn't intervened - there might be some adverse interaction.

[service restart] is not possible
likely due to Tamper Protection.

wireshark to observe the packets not coming outas Wireshark monitors the interfaces it could only confirm that no packets make it to the adapter - something you already know. If no packet arrives it can't tell you why though.
MTD uses the WFP. Can't imagine though that it would quietly discard UDP packets (and leave the process alone).
The WFP provides auditing that is disabled by default. If enabled Security Events associated with udpsz.exe should be created. As there will be lots of unrelated events a Custom XML View like the one below is perhaps a good idea:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='Application'] and (Data='\complete\path\to\udpsz.exe')]] </Select> </Query> </QueryList>

This might tell what happens to the packet (or the application's communication attempt).

Exclusions
as said, I'm not familiar with Central. Would be strange that you'd have to exclude an application from AV scanning as well if you just want to exclude it from MTD. I didn't suggest to make AV real-time exclusions for Java.

As even the verbose log doesn't give a hint I can't speculate what could be the cause. Other applications (DNS, streaming, ...) also use UDP and I assume they work. Thus I think you have to contact Support.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data