Hello!
We've had a question from customers about whether EDR can detect exploitation of CVE-2022-30190. Is this possible? And just looking ahead to the next time we get asked, is there a way to check such things within the UI?
Thanks very much!
Tim
Hi Tim,
I hope I can answer your questions but let me know if I missed out anything
WithSecure EDR will be able to detect the resulting child processes if this vulnerability is exploited
Following detections may generate when the vulnerability will be exploited:
EDR :
msdt spawned by iexplore - HIGH severity
office apps spawned msdt - HIGH severity
sdiagnhost spawned conhost - LOW severity
office as grandparent process - LOW severity
We do not have any documentation created nor we are able to distribute POC but you can use publicly available tools to create POC https://github.com/JohnHammond/msdt-follina
Hi,
Client Security and Elements Endpoint Protection products can detect the Follina vulnerability through DeepGuard with detection Exploit:W32/Follina.A!DeepGuard
Hello, does this mean, that F-Secure Client Security is not able to detect this vulnerability?
THX
Thanks for your quick response. Yes, that's the Follina vulnerability. Very good news if it is indeed detected. Is there a way to be certain? We're liable for anything we tell the customers so kind of need to be sure.
Also, is there a way for us to check these things for ourselves? What often happens here is that whenever the media notice a vulnerability, we get calls from customers asking if it's detected. It would be great if there were a page/resource where we could search for detected vulnerabilities by CVE or maybe chronological order.
I'll make the second question a separate post.
Thanks!
This is about the MS Doc Follina Vulnerability correct ? I believe our detection team has already fixed this with high priority.
Regarding your second question, is that separate to the Vulnerability ? If yes, do let me know so I can split it to a new topic.
