{"id":25010,"date":"2024-08-01T03:20:57","date_gmt":"2024-08-01T11:20:57","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/08\/01\/news-18740\/"},"modified":"2024-08-01T03:20:57","modified_gmt":"2024-08-01T11:20:57","slug":"news-18740","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/01\/news-18740\/","title":{"rendered":"Driving lessons: The kernel drivers in Sophos Intercept X Advanced"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Thu, 01 Aug 2024 09:42:02 +0000<\/strong><\/p>\n

\n

Operating in \u2018kernel-space\u2019 \u2013 the most privileged layer of an operating system, with direct access to memory, hardware, resource management, and storage \u2013 is vitally important for security products. It enables them to monitor \u2018user-space\u2019 \u2013 the non-privileged environment where applications run \u2013 and protect against malware that executes in that environment, even when it tries to evade detection. But kernel access also allows security products to counter more insidious threats within the kernel itself. As we\u2019ve reported previously, for example, some threat actors use BYOVD (Bring Your Own Vulnerable Driver) attacks<\/a>, or attempt to get their own malicious drivers cryptographically signed<\/a>, in order to access kernel-space and take advantage of that elevated level of access.<\/p>\n

However, from a security standpoint, working in kernel-space comes with its own risks. A wrong step in this environment \u2013 such as a bad update to a kernel driver \u2013 can cause outages. If the driver in question starts at boot time, when the operating system first loads, that can lead to prolonged impacts, potentially requiring affected hosts to be started in a recovery mode to mitigate the problem and allow the machines to boot normally.<\/p>\n

Sophos\u2019 Intercept X Advanced product uses five kernel drivers as of release 2024.2. All drivers are extensively tested* with applicable flags enabled and disabled, and shipped with new flags disabled. (Sophos Intercept X and Sophos Central use feature flags to gradually enable new features. Feature flags are deployed through Sophos Central. New features are typically \u2018guarded\u2019 by feature flags \u2013 turned off unless the flag is enabled – so that the feature can be rolled out gradually and potentially revised before wider enablement.)<\/p>\n

In this article, in the interests of transparency, we\u2019ll explore what those drivers are, what they do, when they start, how they\u2019re signed, and what their inputs are. We\u2019ll also explore some of the safeguards we put in place around these drivers to minimize the risk of disruption (such as staged rollouts, as mentioned above; we provide an example of this later in the article), and the options available to customers when it comes to configuring them. It\u2019s also worth noting that Intercept X Advanced and all its components, including the kernel drivers, has been part of an external bug bounty program<\/a> since December 14, 2017; we welcome scrutiny via external bug bounty submissions, and we foster a culture of collaboration with the research community.<\/p>\n

* ‘Testing’ refers to a range of internal testing, including Microsoft-provided tools and verifiers<\/em><\/p>\n

Overview<\/h1>\n

The following table provides an at-a-glance overview of the five kernel drivers which are part of Intercept X Advanced release 2024.2.<\/p>\n

Table 1: An overview of the kernel drivers in Intercept X Advanced2024.2<\/em>
* Microsoft Windows Early Launch Anti-malware Publisher<\/em>
+ Microsoft Windows Hardware Compatibility Publisher<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 1: A conceptual depiction of user-space\/kernel boundaries and where Intercept X Advanced components operate<\/em><\/p>\n

SophosEL.sys<\/h1>\n

What it does:<\/strong> SophosEL.sys is the Sophos Early Launch<\/a> Anti-Malware (ELAM) driver.<\/p>\n

Inputs:<\/strong> This driver has one input \u2013 a blocklist of known-bad drivers which must be prevented from executing as boot start drivers at machine startup. This blocklist, located at the registry key below, is set by Sophos user-space threat detection logic when it detects a malicious driver. At the next boot cycle, SophosEL.sys ensures that this driver is not loaded.<\/p>\n\n\n\n\n
Input<\/td>\nDescription<\/td>\nProtection<\/td>\n<\/tr>\n
HKLMSYSTEMCurrentControlSetServicesSophos ELAMConfig<\/td>\nBlocklist of known-bad drivers<\/td>\nDACLs<\/a>; Sophos Tamper Protected<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Customer options: <\/strong>Customers can configure remediation and allowed items in the Threat Protection policy<\/a> from Sophos Central.<\/p>\n

Additional measures:<\/strong> Any Microsoft or Sophos-signed driver is exempt from cleanup\/blocking.<\/p>\n

SophosED.sys<\/h1>\n

What it does:<\/strong> SophosED.sys (Endpoint Defense) is a boot start driver, started during ELAM processing and before many other kernel drivers are loaded, Windows user-space is initialized, and the system drive is mounted. It has three broad responsibilities:<\/p>\n

    \n
  1. Providing tamper protection for the Sophos installation and configuration<\/li>\n
  2. Exposing system activity events to Sophos user-space components for protection and detection<\/li>\n
  3. Recording low-level system activity events to the Sophos Event Journals for after-the-fact forensics and analysis<\/li>\n<\/ol>\n

    Inputs:<\/strong> Since SophosED.sys starts before the filesystem is available, its entire configuration is provided through its service key. Note that all the below inputs are under HKLMSYSTEMCurrentControlSetServicesSophos Endpoint Defense.<\/p>\n

    Filter driver altitudes inputs<\/h2>\n

    SophosED.sys registers with Windows as a Mini-Filter driver<\/a> at multiple altitudes<\/a> (a unique identifier that defines a driver\u2019s position on the \u2018stack\u2019 of drivers, with \u2018lower\u2019 drivers being closer to bare metal) allocated and approved by Microsoft<\/a>.<\/p>\n\n\n\n\n
    Input<\/td>\nDescription<\/td>\nProtection<\/td>\n<\/tr>\n
    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseInstances<\/td>\nMultiple altitudes allocated by Microsoft<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Tamper Protection inputs<\/h2>\n

    Sophos Tamper Protection is configured by a combination of customer policies, Sophos feature flags, and signed manifests built into the agent.<\/p>\n\n\n\n\n\n
    Input<\/td>\nDescription<\/td>\nProtection<\/td>\n<\/tr>\n
    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig<\/td>\nCustomer policy (On\/Off, configuration password*)<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n
    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionComponents<\/p>\n

    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionServices<\/td>\n

    		Manifest of protected keys, folders, services etc<\/td>\nSigned; verified by driver before loading<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    * The configuration password is hashed with PBKDF2-SHA512 and a salt<\/em><\/p>\n

    System Activity Events inputs<\/h2>\n

    The Sophos Central Threat Protection policy supports multiple configuration options, which Sophos user-space processes write to the SophosED.sys registry key, so that they\u2019re available when the driver is loaded.<\/p>\n\n\n\n\n\n
    Input<\/td>\nDescription<\/td>\nProtection<\/td>\n<\/tr>\n
    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseScanningConfig<\/td>\nCustomer policy (On\/Off, exclusions, and lots more)<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n
    HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEndpointFlags<\/td>\nSophos feature flags (various)<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Event Journal inputs<\/h2>\n\n\n\n\n\n
    Input<\/td>\nDescription<\/td>\nProtection<\/td>\n<\/tr>\n
    HLKMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEventJournalConfig<\/td>\nCustomer policy (exclusions, disk limits)<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n
    HLKMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEventJournalFeatures<\/td>\nIf a subkey exists with a DWORD value Enabled =1, event journals are enabled<\/td>\nDACLs; Sophos Tamper Protected<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Customer options:<\/strong> Customers can configure disk limits and manage exclusions in Sophos Central Threat Protection policy.<\/p>\n

    Additional measures:<\/strong> If a driver facility is available (based on a combination of Customer Policy plus Sophos flag), then Sophos user-space processes can configure various parameters at runtime:<\/p>\n