Changeset 79642 in vbox for trunk/src/VBox/HostDrivers/Support/win

Timestamp:

Jul 9, 2019 1:04:43 PM (6 years ago)

Author:

vboxsync

Message:

SUPHardNt: Added preliminary detection of another endpoint protection solution.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (3 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -377 +377 @@
 /** Avecto / Defendpoint / Privilege Guard (details from support guy, hoping to get sample copy). */
 #define SUPHARDNT_ADVERSARY_AVECTO                  RT_BIT_32(17)
+/** Sophos Endpoint Defense. */
+#define SUPHARDNT_ADVERSARY_SOPHOS                  RT_BIT_32(18)
 /** Unknown adversary detected while waiting on child. */
 #define SUPHARDNT_ADVERSARY_UNKNOWN                 RT_BIT_32(31)
@@ -5806 +5808 @@
         { SUPHARDNT_ADVERSARY_CYLANCE,              "cyprotectdrv" }, /* Not verified. */
 
-        { SUPHARDNT_ADVERSARY_BEYONDTRUST,          "privman" }, /* Not verified. */
+        { SUPHARDNT_ADVERSARY_BEYONDTRUST,          "privman" },   /* Not verified. */
+        { SUPHARDNT_ADVERSARY_BEYONDTRUST,          "privmanfi" }, /* Not verified. */
 
         { SUPHARDNT_ADVERSARY_AVECTO,               "PGDriver" },
+
+        { SUPHARDNT_ADVERSARY_SOPHOS,               "SophosED" }, /* Not verified. */
     };
 
@@ -5928 +5933 @@
 
         { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privman.sys" },
+        { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privmanfi.sys" },
         { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman64.dll" },
         { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman32.dll" },
 
         { SUPHARDNT_ADVERSARY_AVECTO, L"\\SystemRoot\\System32\\drivers\\PGDriver.sys" },
+
+        { SUPHARDNT_ADVERSARY_SOPHOS, L"\\SystemRoot\\System32\\drivers\\SophosED.sys" }, // not verified
     };