This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suddenly flooded with "Policy non-compliance: Exploit Detection" alerts

Hi, over the last couple of days we're getting flooded with alerts for "Policy non-compliance: Exploit Detection". There seems to be some pattern in as much as the client receives an update, reports it as compliant then some time later reports it's non-compliant, example below:

May 25, 2018 10:27 AM Policy non-compliance: Exploit Detection

May 25, 2018 9:33 AM Policy in compliance: Exploit Detection

May 25, 2018 9:32 AM Update succeeded

They are currently running version 10.8.1 VE3.72.1

Does anyone have any ideas why this has just started happening?

Many thanks.

This thread was automatically locked due to age.

0 Barb@Sophos over 5 years ago

Hi Andy,

Have there been any specific changes/updates (including any exclusion changes) since the problem started?

Is it happening on multiple OSs or a particular one ?
How many machines are affected?
What are the versions of the Sophos Components and Intercept X installed on the system?

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gowtham Mani over 5 years ago

Hi Andy Thompson1,

Could you please confirm if the alerts are seen in the clients that go into sleep/hibernation mode?

Regards,

Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Andy Thompson1 over 5 years ago in reply to Barb@Sophos

Hi Barb,

We added an exploit mitigation exclusion for Java a couple of weeks ago and the messages seem to have started a few days after that.

We are only running Windows 7 (x86 and x64) here.

Core Agent 2.0.3

Endpoint Advanced 10.8.1.2

Intercept X 2.0.3

Best Regards,

Andy.
Cancel
Vote Up 0 Vote Down

Cancel
0 Andy Thompson1 over 5 years ago in reply to Gowtham Mani

Hi Gowtham,

We are getting the messages from desktop and laptop computers. The desktop machines never go to sleep or hibernate and the laptops only sleep when their lids are shut.

Best Regards,

Andy.
Cancel
Vote Up 0 Vote Down

Cancel
0 Barb@Sophos over 5 years ago in reply to Andy Thompson1

Hi Andy,

Are these messages still appearing non-stop, or just showed up once per device after the changes were made?
Please have a look at the What to Do Section from the article below:

Policy non-compliance: [Component] message displayed in the Sophos Central Admin

Have the machines been updated/restarted since the policy changes went thru? If not, could please test forcing a Sophos update on a few of them, and rebooting to see if that alleviates the issue?

Otherwise, for testing purposes, can you confirm if removing the Java exception changes this behavior at all? (As in does the message go away after removing the exception?)

One more question if I may, are there multiple policies including this Java exclusion (or multiple paths for the exclusion itself)?

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Andy Thompson1 over 5 years ago in reply to Barb@Sophos

They still appear after a machine has been restarted. The common sequence is:

May 30, 2018 1:30 PM Policy non-compliance: Exploit Detection

May 30, 2018 1:01 PM Policy in compliance: Exploit Detection

May 30, 2018 1:00 PM Update succeeded

I really can't remove this exploit mitigation exception - something in the latest version of the Sophos client is breaking a web site that is mission critical here. There is nothing defined in a policy that excludes Java, it is set as a global exception.
Cancel
Vote Up 0 Vote Down

Cancel
0 Andy Thompson1 over 5 years ago in reply to Andy Thompson1

Just to confirm, on this particular PC I have just started it up and have the following sequence:

Jun 1, 2018 9:11 AM Policy non-compliance: Exploit Detection

Jun 1, 2018 9:01 AM Policy in compliance: Exploit Detection

Jun 1, 2018 8:59 AM Update succeeded
Cancel
Vote Up 0 Vote Down

Cancel