I use Royal TS to access remote VM's. Last week, Sophos EDR has started generating an Investigation after each use. Has anyone else seen this of have any thoughts? Classification rule is WIN-MITRE-Behavioral-TA0005-T1055.012
Has a risk value of 8
Detection Name HeapHeapProtect
Yet is shows Good Known Reputation
Seems a little counter intuitive
Hi Mark,
Royal TS is not a known application by sophos.
Here's your options:
Submit the setup of that app using this link so sophoslabs team can put royal TS on the application control list in central. After sophoslabs is done putting it on the list, you can just select to allow or block it on certain groups or all of your users.
https://support.sophos.com/support/s/filesubmission?language=en_US
The other thing you can try is to put scanning exclusion AND exploit exclusion based on the folder location of the app.
You can create a custom threat protection policy>create the exclusions there and assign users/devices that will use this policy.
Regards,
Fernan Tutor
Hi Mark,
You can find more information on the behaviors that were observed, in the following link.
- MITRE ATT&CK - Process Injection: Process Hollowing
In some cases, applications will utilize similar operations to provide functionality to you for legitimate purposes. I suspect this is what's occurring here, though if you were looking for more detailed information on what was observed, you can also try looking into the "Threat Graphs" section.
Hi Mark,
You can find more information on the behaviors that were observed, in the following link.
- MITRE ATT&CK - Process Injection: Process Hollowing
In some cases, applications will utilize similar operations to provide functionality to you for legitimate purposes. I suspect this is what's occurring here, though if you were looking for more detailed information on what was observed, you can also try looking into the "Threat Graphs" section.
