'Lockdown' exploit prevented in Internet Explorer accessing Sharepoint site?

Hi Greg,

We deployed the same security updates you listed to our Win 7 machines on 2/22/18.  Then started to see the "Lockdown" events on 2/23/18.  What's triggering it for our users are certain finance websites.  Some of the sites require compatibility view mode enabled.  Don't know if that is causing it as well.  I opened a support ticket so hope we see a resolution soon.  But in the meantime I added Internet Explorer to the Exploit Mitigation exclusion so our users can get their work done.

Greg Francis said:

We have a couple of computers that are being blocked from a Sharepoint site with the Sophos message "'Lockdown' exploit prevented in Internet Explorer". These computers were able to access the same site yesterday. There were six Windows patches installed last night that may be contributing as some other computers where the patches haven't installed aren't experiencing the "'Lockdown' exploit prevented in Internet Explorer" block when getting to the exact same Sharepoint site.

These are the patches that were installed:

• Cumulative security update for Internet Explorer: February 13, 2018 (KB4074736)
• 2018-02 Security Only Quality Update for Windows 7 for x64-based Systems (KB4074587)
• 2018-02 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4074598)
• Security Update for Microsoft Office 2010 (KB4011707) 32-Bit Edition
• Security Update for Microsoft Office 2010 (KB3114874) 32-Bit Edition
• Security Update for Microsoft Outlook 2010 (KB4011711) 32-Bit Edition

I'm wondering if anyone else has encountered any issues with these patches in relation to Sharepoint and Sophos.

 

Hi Greg,

We deployed the same security updates you listed to our Win 7 machines on 2/22/18.  Then started to see the "Lockdown" events on 2/23/18.  What's triggering it for our users are certain finance websites.  Some of the sites require compatibility view mode enabled.  Don't know if that is causing it as well.  I opened a support ticket so hope we see a resolution soon.  But in the meantime I added Internet Explorer to the Exploit Mitigation exclusion so our users can get their work done.

Greg Francis said:

We have a couple of computers that are being blocked from a Sharepoint site with the Sophos message "'Lockdown' exploit prevented in Internet Explorer". These computers were able to access the same site yesterday. There were six Windows patches installed last night that may be contributing as some other computers where the patches haven't installed aren't experiencing the "'Lockdown' exploit prevented in Internet Explorer" block when getting to the exact same Sharepoint site.

These are the patches that were installed:

• Cumulative security update for Internet Explorer: February 13, 2018 (KB4074736)
• 2018-02 Security Only Quality Update for Windows 7 for x64-based Systems (KB4074587)
• 2018-02 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4074598)
• Security Update for Microsoft Office 2010 (KB4011707) 32-Bit Edition
• Security Update for Microsoft Office 2010 (KB3114874) 32-Bit Edition
• Security Update for Microsoft Outlook 2010 (KB4011711) 32-Bit Edition

I'm wondering if anyone else has encountered any issues with these patches in relation to Sharepoint and Sophos.

 

Hi Wing

I have encountered the same issue since installing Sophos and also those patches for financial websites

I've had to add them to the Global Exclusion list but where it is annoying is that one of our users is accessing certain parts of the web page he keeps getting blocked at each bit. Does anyone know of a way to add the whole site to the Exclusion list? Rather than page by page

I think you may need to add Internet Explorer entirely as an exclusion until this can get resolved.

In the Exploit Mitigation Exclusions I added Internet Explorer as the Excluded Application.