LoFP / some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate

Techniques

Sample rules

Tamper With Sophos AV Registry Keys

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects tamper attempts to sophos av functionality via registry key modification

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|contains:
  - \Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled
  - \Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled
  - \Sophos\SAVService\TamperProtection\Enabled