Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 10 subscribers
  • Views 2643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MS Word / Excel block due to ROP

Chew Eng Tat

Is 2020 and seem this issue have not resolve....even with the latest version.

Sophos AMSI Protection for Windows (64-bit) 1.5.23.0
Sophos Anti-Virus 10.8.9.610
Sophos AutoUpdate 6.6.144.144
Sophos Clean 3.8.10.1
Sophos Endpoint Defense 2.2.5.648
Sophos Endpoint Firewall 1.2.0.17
Sophos Endpoint UI 2.0.423.0
Sophos File Scanner 1.7.721.0
Sophos Health 2.4.7.0
Sophos HitmanPro Alert 3.8.0.523.523
Sophos Live Query (64-bit) 3.0.0.398
Sophos Live Terminal (64-bit) 1.2.4.0
Sophos Machine Learning Engine 1.5.3
Sophos Management Communications System 4.12.686.0
Sophos Network Threat Protection 1.10.1051.0
Sophos Self Help Tool 2.8.1.2
Sophos Standalone Engine 1.6.11
Sophos Threat Detection Engine 3.79.0.22
Sophos Uninstaller 1.9.0.4


This thread was automatically locked due to age.
Parents
  • 0

    To clarify - are you getting a ROP detection on all launches or when opening specific files?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Chew Eng Tat

    Hi

    Could you post the event ID logs for the ROP exploit? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    itigation   ROP

    Timestamp    2020-11-09T08:25:01

     

    Platform     10.0.19042/x64 v523 06_8e-

    PID          14368

    Enabled      003D2A3E1FBF0104

    Silent       0038000000000100

    Application  C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

    Created      2020-11-09T08:01:01

    Modified     2020-11-09T08:01:01

    Description  Microsoft Word 16

     

    Callee Type  LoadLibrary

                 C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll

     

    Stack Trace

    #  Address          Module                   Location

    -- ---------------- ------------------------ ----------------------------------------

    1  00007FFE24B88982 KernelBase.dll           LoadLibraryExW +0x162

     

    2  00007FFE248A0094 (anonymous; AntiExploitCore64.dll)

                        ff350a000000             PUSH         QWORD [RIP+0xa]

                        f04883250100000000       LOCK AND     QWORD [RIP+0x1], 0x0

                        c3                       RET        

     

     

    Loaded Modules (45)

    -----------------------------------------------------------------------------

    00007FF61FA00000-00007FF61FBE2000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE (Microsoft Corporation),

                                      version: 16.0.13328.20356

    00007FFDC8BE0000-00007FFDC9AAE000 C:\Program Files\Microsoft Office\root\Office16\oart.dll (Microsoft Corporation),

                                      version: 16.0.13328.20352

    00007FFDC9AB0000-00007FFDCC3AC000 C:\Program Files\Microsoft Office\root\Office16\wwlib.dll (Microsoft Corporation),

                                      version: 16.0.13328.20356

    00007FFDD28D0000-00007FFDD2F40000 C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll (Microsoft Corporation),

                                      version: 16.0.13328.20350

    00007FFDE0870000-00007FFDE08C1000 C:\WINDOWS\SYSTEM32\CRYPTUI.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFDF2B70000-00007FFDF2D4E000 C:\Program Files\Microsoft Office\root\Office16\c2r64.dll (Microsoft Corporation),

                                      version: 16.0.13328.20130

    00007FFDF2D50000-00007FFDF2FD3000 C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll (Microsoft Corporation),

                                      version: 5.2.160.0

    00007FFDF67C0000-00007FFDF67FB000 C:\Program Files\Fortinet\FortiClient\AntiExploitCore64.dll (Fortinet Inc.),

                                      version: 1.0.0.0003

    00007FFE09000000-00007FFE09039000 C:\WINDOWS\SYSTEM32\RstrtMgr.DLL (Microsoft Corporation),

                                      version: 10.0.19041.1 (WinBuild.160101.0800)

    00007FFE0BD30000-00007FFE0BED6000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.572_none_fae9a23b76193bbb\gdiplus.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE0EE10000-00007FFE0F0AB000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll (Microsoft Corporation),

                                      version: 6.10 (WinBuild.160101.0800)

    00007FFE128B0000-00007FFE12A9D000 C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation),

                                      version: 11.00.19041.546 (WinBuild.160101.0800)

    00007FFE12BE0000-00007FFE12E90000 C:\WINDOWS\SYSTEM32\iertutil.dll (Microsoft Corporation),

                                      version: 11.00.19041.546 (WinBuild.160101.0800)

    00007FFE1BAD0000-00007FFE1BB69000 C:\Program Files\Microsoft Office\root\Office16\MSVCP140.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE1BB70000-00007FFE1BB87000 C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE1EC90000-00007FFE1EC9C000 C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_1.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE219A0000-00007FFE21A30000 C:\WINDOWS\SYSTEM32\apphelp.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE23BF0000-00007FFE23C2B000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE241B0000-00007FFE241EB000 C:\WINDOWS\SYSTEM32\NTASN1.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE241F0000-00007FFE24217000 C:\WINDOWS\SYSTEM32\ncrypt.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE245E0000-00007FFE246FB000 C:\Windows\System32\hmpalert.dll (SurfRight B.V.),

                                      version: 3.8.0.515

    00007FFE247F0000-00007FFE2481E000 C:\WINDOWS\SYSTEM32\USERENV.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24900000-00007FFE24A00000 C:\WINDOWS\System32\ucrtbase.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE24A50000-00007FFE24B59000 C:\WINDOWS\System32\gdi32full.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24B60000-00007FFE24E28000 C:\Windows\System32\KernelBase.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24E30000-00007FFE24E57000 C:\WINDOWS\System32\bcrypt.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE24E60000-00007FFE24FBD000 C:\WINDOWS\System32\CRYPT32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25020000-00007FFE25042000 C:\WINDOWS\System32\win32u.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE25100000-00007FFE2519D000 C:\WINDOWS\System32\msvcp_win.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25220000-00007FFE253C0000 C:\WINDOWS\System32\USER32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25500000-00007FFE25555000 C:\WINDOWS\System32\SHLWAPI.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE257D0000-00007FFE25800000 C:\WINDOWS\System32\IMM32.DLL (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25800000-00007FFE2582A000 C:\WINDOWS\System32\GDI32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25D40000-00007FFE25E6A000 C:\WINDOWS\System32\ole32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25E70000-00007FFE261C5000 C:\WINDOWS\System32\combase.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE261D0000-00007FFE2626E000 C:\WINDOWS\System32\msvcrt.dll (Microsoft Corporation),

                                      version: 7.0.19041.546 (WinBuild.160101.0800)

    00007FFE26270000-00007FFE26394000 C:\WINDOWS\System32\RPCRT4.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26450000-00007FFE264EB000 C:\WINDOWS\System32\sechost.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE264F0000-00007FFE2655B000 C:\WINDOWS\System32\ws2_32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE265C0000-00007FFE26D00000 C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE26D00000-00007FFE26DCD000 C:\WINDOWS\System32\OLEAUT32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26DD0000-00007FFE26E7E000 C:\WINDOWS\System32\shcore.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26E80000-00007FFE26F2A000 C:\WINDOWS\System32\ADVAPI32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE270A0000-00007FFE2715D000 C:\Windows\System32\kernel32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE271B0000-00007FFE273A6000 C:\Windows\System32\ntdll.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

     

    Process Trace

    1  C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE [14368]

    2  C:\Windows\explorer.exe [10312]

    3  C:\Windows\System32\userinit.exe [6180]

    4  C:\Windows\System32\winlogon.exe [904]

    winlogon.exe

    5  C:\Windows\System32\smss.exe [980]

    \SystemRoot\System32\smss.exe 000000f4 00000084

Reply
  • 0 in reply to Shweta

    itigation   ROP

    Timestamp    2020-11-09T08:25:01

     

    Platform     10.0.19042/x64 v523 06_8e-

    PID          14368

    Enabled      003D2A3E1FBF0104

    Silent       0038000000000100

    Application  C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

    Created      2020-11-09T08:01:01

    Modified     2020-11-09T08:01:01

    Description  Microsoft Word 16

     

    Callee Type  LoadLibrary

                 C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll

     

    Stack Trace

    #  Address          Module                   Location

    -- ---------------- ------------------------ ----------------------------------------

    1  00007FFE24B88982 KernelBase.dll           LoadLibraryExW +0x162

     

    2  00007FFE248A0094 (anonymous; AntiExploitCore64.dll)

                        ff350a000000             PUSH         QWORD [RIP+0xa]

                        f04883250100000000       LOCK AND     QWORD [RIP+0x1], 0x0

                        c3                       RET        

     

     

    Loaded Modules (45)

    -----------------------------------------------------------------------------

    00007FF61FA00000-00007FF61FBE2000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE (Microsoft Corporation),

                                      version: 16.0.13328.20356

    00007FFDC8BE0000-00007FFDC9AAE000 C:\Program Files\Microsoft Office\root\Office16\oart.dll (Microsoft Corporation),

                                      version: 16.0.13328.20352

    00007FFDC9AB0000-00007FFDCC3AC000 C:\Program Files\Microsoft Office\root\Office16\wwlib.dll (Microsoft Corporation),

                                      version: 16.0.13328.20356

    00007FFDD28D0000-00007FFDD2F40000 C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll (Microsoft Corporation),

                                      version: 16.0.13328.20350

    00007FFDE0870000-00007FFDE08C1000 C:\WINDOWS\SYSTEM32\CRYPTUI.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFDF2B70000-00007FFDF2D4E000 C:\Program Files\Microsoft Office\root\Office16\c2r64.dll (Microsoft Corporation),

                                      version: 16.0.13328.20130

    00007FFDF2D50000-00007FFDF2FD3000 C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll (Microsoft Corporation),

                                      version: 5.2.160.0

    00007FFDF67C0000-00007FFDF67FB000 C:\Program Files\Fortinet\FortiClient\AntiExploitCore64.dll (Fortinet Inc.),

                                      version: 1.0.0.0003

    00007FFE09000000-00007FFE09039000 C:\WINDOWS\SYSTEM32\RstrtMgr.DLL (Microsoft Corporation),

                                      version: 10.0.19041.1 (WinBuild.160101.0800)

    00007FFE0BD30000-00007FFE0BED6000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.572_none_fae9a23b76193bbb\gdiplus.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE0EE10000-00007FFE0F0AB000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll (Microsoft Corporation),

                                      version: 6.10 (WinBuild.160101.0800)

    00007FFE128B0000-00007FFE12A9D000 C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation),

                                      version: 11.00.19041.546 (WinBuild.160101.0800)

    00007FFE12BE0000-00007FFE12E90000 C:\WINDOWS\SYSTEM32\iertutil.dll (Microsoft Corporation),

                                      version: 11.00.19041.546 (WinBuild.160101.0800)

    00007FFE1BAD0000-00007FFE1BB69000 C:\Program Files\Microsoft Office\root\Office16\MSVCP140.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE1BB70000-00007FFE1BB87000 C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE1EC90000-00007FFE1EC9C000 C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_1.dll (Microsoft Corporation),

                                      version: 14.24.28127.4 built by: vcwrkspc

    00007FFE219A0000-00007FFE21A30000 C:\WINDOWS\SYSTEM32\apphelp.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE23BF0000-00007FFE23C2B000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE241B0000-00007FFE241EB000 C:\WINDOWS\SYSTEM32\NTASN1.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE241F0000-00007FFE24217000 C:\WINDOWS\SYSTEM32\ncrypt.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE245E0000-00007FFE246FB000 C:\Windows\System32\hmpalert.dll (SurfRight B.V.),

                                      version: 3.8.0.515

    00007FFE247F0000-00007FFE2481E000 C:\WINDOWS\SYSTEM32\USERENV.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24900000-00007FFE24A00000 C:\WINDOWS\System32\ucrtbase.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE24A50000-00007FFE24B59000 C:\WINDOWS\System32\gdi32full.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24B60000-00007FFE24E28000 C:\Windows\System32\KernelBase.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE24E30000-00007FFE24E57000 C:\WINDOWS\System32\bcrypt.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE24E60000-00007FFE24FBD000 C:\WINDOWS\System32\CRYPT32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25020000-00007FFE25042000 C:\WINDOWS\System32\win32u.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE25100000-00007FFE2519D000 C:\WINDOWS\System32\msvcp_win.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25220000-00007FFE253C0000 C:\WINDOWS\System32\USER32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25500000-00007FFE25555000 C:\WINDOWS\System32\SHLWAPI.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE257D0000-00007FFE25800000 C:\WINDOWS\System32\IMM32.DLL (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25800000-00007FFE2582A000 C:\WINDOWS\System32\GDI32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25D40000-00007FFE25E6A000 C:\WINDOWS\System32\ole32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE25E70000-00007FFE261C5000 C:\WINDOWS\System32\combase.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE261D0000-00007FFE2626E000 C:\WINDOWS\System32\msvcrt.dll (Microsoft Corporation),

                                      version: 7.0.19041.546 (WinBuild.160101.0800)

    00007FFE26270000-00007FFE26394000 C:\WINDOWS\System32\RPCRT4.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26450000-00007FFE264EB000 C:\WINDOWS\System32\sechost.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE264F0000-00007FFE2655B000 C:\WINDOWS\System32\ws2_32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE265C0000-00007FFE26D00000 C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation),

                                      version: 10.0.19041.572 (WinBuild.160101.0800)

    00007FFE26D00000-00007FFE26DCD000 C:\WINDOWS\System32\OLEAUT32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26DD0000-00007FFE26E7E000 C:\WINDOWS\System32\shcore.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE26E80000-00007FFE26F2A000 C:\WINDOWS\System32\ADVAPI32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE270A0000-00007FFE2715D000 C:\Windows\System32\kernel32.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

    00007FFE271B0000-00007FFE273A6000 C:\Windows\System32\ntdll.dll (Microsoft Corporation),

                                      version: 10.0.19041.546 (WinBuild.160101.0800)

     

    Process Trace

    1  C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE [14368]

    2  C:\Windows\explorer.exe [10312]

    3  C:\Windows\System32\userinit.exe [6180]

    4  C:\Windows\System32\winlogon.exe [904]

    winlogon.exe

    5  C:\Windows\System32\smss.exe [980]

    \SystemRoot\System32\smss.exe 000000f4 00000084

Children
No Data
Unfiltered HTML