Hitmanpro.alert Events
Lara Preece
Customers (Central Dashboard and Enterprise Dashboard), as well as Partners (Partner Dashboard) - could see excess amounts of Audit log entries that reference both 'alerts:read' and 'endpoint-state:read'.
The RMM Sophos software plug-in is polling all of the Partner's Customers. This currently includes any of the Partners customers who are either not managed by the Partner or are currently Trial/Evaluation customers.
Our APIs handle the rejection of non-managed tenants by understanding the permissions embedded in the API token, and returning a 403 when the credential does not have permission for that tenant. This in turn results in an Audit log entry for access denied being logged in both the Central Dashboard (and the corresponding Partner and/Enterprise Dashboards)
If there are any questions or concerns about these entries, please contact Sophos Technical Support for help or clarification on what is being logged. Please reference this Known Issue entry. Note that in the interim of any future Sophos Automate or Kaseya VSA plugin updates that may address this, these errors/entries are expected and can be ignored.
Currently our integration does not allow leading typographical symbols for ticket status names. In the interim of this investigation concluding, please only use/select Ticket status names that begin alphanumerically
This is expected behavior. To identify how long Remote Access was previously set for, Review the current Remote Access expiration date shown below the drop-down, with the date shown in the audit log entry from when Remote Access was enabled.
While these are different detections (within the archive), when viewed in Central, they appear to be only from the same archive file. This makes it appear as if they are duplicates when, in fact, they are separate detections.
For example, if you have 10 copies of psexec in 10 different locations within a single archive file, and you are scanning for PUAs, the endpoint will detect each of the 10 separate PUA locations and trigger 10 separate detection alerts that will also be seen in your Partner Dashboard and PSA Ticketing integration.
How to handle the multiple tickets will depend on how an organization will address this scenario. If the single archive file will be removed or addressed, then only one of the tickets needs to be open. If the archive file needs to remain, then each one of the individual paths (and alerts/tickets created) will be valid until they are resolved.
When choosing the country for your customer in this form, first select the drop-down menu with your mouse, then choose the country from the drop-down list (either typing or using the scroll bar to select).
It is expected behavior that when an Enterprise Administrator creates, edits or deleted a Custom Dashboard within one Subestate, it will be also be created, updated, or deleted for all Subestates in the Enterprise environment.
If a Partner or Enterprise Administrator attempts to add non local administrators to firewall reports (Firewall Management > Report Generator > (add or edit any report) > Available Recipients section.
If you add any Partner or Enterprise Dashboard administrators, these will not receive the report via email. Additionally, when you reopen the report, these administrator names added will show as UUIDs.
When using API credentials (Service Principals) - certain jwt token refresh errors can be logged in the Central Dashboards Audit log as 'anonymous:' and 'failed authentication' with the IP of source. (eg. siem.py script/ ADsync utility/ etc). This is an expected logging event that can occur during normal operation and it does not require any follow up action.
To prevent a Guest userType from creating a mailbox in this scenario, requires preventing them from being sync'd into your Central Dashboard. To do this, configure your Sophos Central Entra Directory services sync to filter out/exclude syncing Guest users.
This is an expected behavior when the user/admin in question does not have any configured MFA settings. This can be due to the MFA reset option already having been selected, or this user/admin has not yet logged in for the first time to configure their login yet.
If the API credential previously used is no longer present within Settings > API Credentials Management; and there is nothing in the Audit log showing it was removed, then the credential has aged out.
Sophos Central API credentials have defined lifetimes during which they may be used to authenticate to Sophos APIs for data collection and alerting. By design, when an API credential expires it will no longer be allowed to authenticate to Sophos APIs. Creating new API credentials to replace the prior credentials will quickly resolve any access interruption from expired API credentials.
The creation, last used, and expiration dates for unexpired API credentials can be reviewed in Sophos Central's API Credentials Management page. Since expired API credentials are unusable any references to them are automatically removed from the Sophos Central console by design.
If the API credentials used are active and confirmed valid (this can be tested using postman or curl to do a basic whoami and tenent list query outside of Kaseya) and this continues to trigger this error - Please ensure that the following is open (without any regional restrictions) from your VSA server:
Sometimes during the EDB enablement process, the conversion of the Central Super Admin to Enterprise Super Admin may fail. In that scenario, you will get an 'Authentication Failure' when trying to log back into your newly created Enterprise Dashboard.
It is recommended to upload users in batches of 1000 at a time. It is possible to upload more at once, though depending on the time of day (peak business hours) you may experience this timeout behavior.
Google Chrome and Microsoft Edge for macOS have updated to version "124" which enabled the feature "TLS 1.3 hybridized Kyber support". When this setting is enabled and running alongside Sophos Central Endpoint for macOS, some web pages may not load
Apple Advanced Tracking and Fingerprint Protection on macOS 14 (Sonoma) by design does not pass traffic to any web filters on the system. While this feature is enabled, Web Protection / Web Control will not be able to see the traffic.
This feature is enabled for Private browsing tabs in Safari by default on macOS 14 (Sonoma), and only affects that OS. In the Safari security preferences, it is possible to also enable this feature for all browser connections, or none. Any connections with this feature enabled will not be checked for Web Protection / Control
Application Control cannot detect/block script applications or Java JAR applications during direct execution. It requires a binary package such as .app, .pkg, .dmg to detect/block. On access scanning is not affected by this limitation.
Apple iCloud Private Relay uses an isolated connection that the OS does not provide to Sophos for purposes of web protection or control. If a user enables this (paid subscription from Apple), we cannot provide web protection or control on the system for non-local traffic.
A blank character at the end of an Exploit Mitigation or Ransomware Protection exclusion will be accepted by Sophos Central and passed down to the endpoint. This may not match the intended process, and so will not be excluded.
The "Microsoft 365 network connectivity test" fails with a BrowserAncestorPowershell alert against the NetworkOnboardingClient 1.9. This is a legitimate detection caused by the network connectivity test behavior, which gets blocked by the Lockdown mitigation policy. The alert will be suppressed with the release of Intercept X 2024.3 and the network connectivity test can be completed successfully.
This allows it to be successfully loaded in processes with integrity level 8 or lower, instead of integrity level 7 or lower. While this will prevent the majority of events from being logged, processes running at a higher integrity level that are attempting to load the SophosAMSIProvider.dll will still produce an event.
Running a live session as another user using the run-as utility will send a SATC login to the XG Firewall however on termination of the session the connection remains as an active connection on the firewall. The connection must be manually terminated on the XG.
An Exploit Mitigation alert of type DLLHijackGuard does not create an event in Sophos Central or on the local Endpoint UI. The alert details are only logged to the local Eventlog of the system under HitmanPro.Alert EventID 911. This is expected behavior.
Due to an issue in the enumeration function of the Sophos Endpoint, Endpoints with Data Loss Prevention enabled may freeze and eventually crash with stop code DRIVER_POWER_STATE_FAILURE (9f) when a security token (e.g. YUBIKEY) is attached to the system.
If a version of the installer prior to 1.6 (released late 2019) is used in 2023 or later, it will result in a damaged install (no MCS communication and other problems). Uninstall, then reinstall with a newer installer.
During a shutdown of the Operating System, when the Sophos HitmanPro.Alert service has already been stopped but a 3rd party service (i.e. HPAudioAnalytics service) is delaying the shutdown as its not correctly responding to the stop request, the Sophos Health Service marks the Sophos HitmanPro.Alert service as stopped and changes the Endpoint health state from Green to Red.
On the subsequent startup of the Operating System, the Endpoint health state is still Red. This may lead to the Endpoint being isolated if the option 'Allow computers to isolate themselves on red health' is enabled in the Threat Protection policy.
ConnectWise Automate / LabTech Agent (LTAgent.exe) triggers Dynamic Shellcode mitigation on Servers running Intercept X with Exploit Mitigation and Dynamic Shellcode protection enabled. The ConnectWise Automate host server is unable to launch Automate Control Center as it relies on LTAgent.exe, which fails to launch.
4a15465005