Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 15566 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any protection update against CVE-2021-40444 in exploit prevention. of endpoint Security and control 10.8

Timothy Cheung

as subject



This thread was automatically locked due to age.
Parents
  • 0

    Hello Timothy,

    Thank you for contacting the Sophos Community. Sophos has released the following news article regarding this vulnerability. 
    https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/

    Within the article the following AV detection names are outlined. You can also see "CXmail/CXweb" detections generated from matching files. 

    Exp/2140444-A
    Troj/JSExp-W
    Troj/Cabinf-A
    Troj/Agent-BHRO
    Troj/Agent-BHPO &

    Intercept X has a behavioral detection that corresponds with the behavior of the exploit itself.

    Any web-servers seen in the attacks will have their IP addresses re-classified as "C2" destinations, or "Malware/Callhome". 

     

    Kushal Lakhan
    Global Community Support Engineer | Global Community Team
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link. 
  • +1 in reply to Timothy Cheung

    I did a live query with the suggested code from the article and it gives me

    Complete, no data sent

    for all endpoints.

    The reg keys are not present. So there should be some message like "ActiveX setting does not match the Microsoft recommendation"

    SELECT name, type, data, datetime(mtime, 'unixepoch', 'localtime') AS registryWriteTime,
CASE
   WHEN data = '3' THEN 'ActiveX set to DISABLED as recommended by Microsoft'
   ELSE 'ActiveX setting does not match the Microsoft recommendation'
END AS mitigationStatus
FROM registry
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1001' 
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1004'

Reply
  • +1 in reply to Timothy Cheung

    I did a live query with the suggested code from the article and it gives me

    Complete, no data sent

    for all endpoints.

    The reg keys are not present. So there should be some message like "ActiveX setting does not match the Microsoft recommendation"

    SELECT name, type, data, datetime(mtime, 'unixepoch', 'localtime') AS registryWriteTime,
CASE
   WHEN data = '3' THEN 'ActiveX set to DISABLED as recommended by Microsoft'
   ELSE 'ActiveX setting does not match the Microsoft recommendation'
END AS mitigationStatus
FROM registry
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1001' 
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1004'

Children
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?