Exploit Mitigation: Prevent Credential Theft / Prevent Privilege Escalation Exclusions?

Question

We are attempting to run an Active Directory migration tool on our domain controllers, the migration tool is called Quest Migration Manager. 
 Sophos was originally blocking some of the background processes with the software and throwing CredGuard errors in Event Viewer. After implementing a policy were it excluded several processes and folders with the software, the error in Event Viewer went away. The software is still not working properly, and after much testing it was revealed that when we had "Prevent Credential Theft" and "Prevent Privilege Escalation" unselected in the Runtime Protection>Protect Processes portion of the policy, the software works just fine. 
 Since this software would need to work on about 6 or 7 domain controllers, our organization is a bit apprehensive about disabling "Prevent Credential Theft" and "Prevent Privilege escalation" on our domain controllers. Does anyone have any idea on where to begin on where we could program an exclusion in for these two processes? 
 I have just about every other crucial process with the software in a global exclusion policy but the software just won't work until "Prevent Credential Theft" and "Prevent Privilege escalation" are unchecked.

Qoosh · Answer

Hello Justin, 
 Thank you for contacting the Sophos Community. I had a look through some of our related support cases and found the following executable to be the one that was detected by Intercept X. Have you tried applying an "Exploit Mitigation Exclusion" so that this executable will not be scanned by Intercept X? 
 Application C:\Windows\System32\AelAgentMS64.exe - https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/learningContents/StopDetectingExploit.html 
 The steps that apply to you will be under "Stop checking for all exploits on an application". 
 If you already have a support case opened with our team, try supplying the Case ID here and I can check on the progress to see which steps were already tried. 
 Kushal Lakhan 
 Global Community Support Engineer | Global Community Team Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' link.

RichardP · Answer

Hi, 
 Whitethumbprints are exclusively generated by our development team. You would need to create a support case (sounds like you have already) and it would need to be sent to development with an example of the EXE in question for them to eval if they can create a thumbprint. Not all requests are accepted because a thumbprint needs to be specific enough that it doesn't allow compromise of the system. 
 As another note, exclusions for EXEs don't apply to the InterceptX exploit mitigation detections - so you can exclude a EXE from being scanned by the endpoint but if it stills does an action that would trigger an exploit mitigation then it will still be blocked. Some of the mitigations can have exclusions applied (ie you can unload the driver from those types of EXEs and therefore the EXE can do what it wants) - however, for the specific case of this software I couldn't give you advice on how to craft the right policy without seeing the exact behaviour of the EXE. Support should be able to though.,

Exploit Mitigation: Prevent Credential Theft / Prevent Privilege Escalation Exclusions?

Top Replies

Submitted a Tech Support Case lately from the Support Portal?