Lockdown Microsoft Edge

Hi Quasar,

had the same problem, Sophos is currently investigating. This occurs when Microsft Edge is set as a default browser and on Edge version 93.0.961.38. Open a support case so the Sophos Support is aware of that.

Hello quasar,

Thank you for reaching out to the Sophos Community. 

An initial step you can try is deploying the "Hotfix Package" for Intercept X onto the affected device. 

If this still does not work, I'd recommend creating a new "Threat Protection policy" to be applied to the affected device. Within the new policy, you can try turning off certain protection features under "Runtime Protection", specifically "Protect web browsers" to see if you can find a usable configuration that will allow the app to work. This can be used as a work-around for the time being. 

Can you check the Windows Application Event Viewer and filter by Event ID 911? If you're able to find an entry that corresponds with the lockdown detection, please paste the contents of the log entry here. 

Hello Qoosh,

I found a entry regarding PID 911.

Mitigation   Lockdown
Timestamp    2021-11-09T15:10:13

Platform     10.0.19043/x64 v523 06_9e-
PID          14044
Application  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created      2021-05-22T11:10:56
Modified     2021-11-04T08:54:54
Description  Microsoft Edge 95

Operation    SetValueKey
Key          \REGISTRY\USER\S-1-5-21-291532225-531189968-1237804090-12199\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Value Name   MicrosoftEdgeAutoLaunch_35F8F3346C021A489FDBFF14FD72277C
Value        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Process Trace
1  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [14044]
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
2  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8100]
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
3  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [13216]
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
4  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [12884]
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
5  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [13112]
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
6  C:\Windows\explorer.exe [2032]
7  C:\Windows\System32\userinit.exe [4472]
8  C:\Windows\System32\winlogon.exe [888]
winlogon.exe
9  C:\Windows\System32\smss.exe [732]
\SystemRoot\System32\smss.exe 00000198 00000084
10 C:\Windows\System32\smss.exe [572]
\SystemRoot\System32\smss.exe

Thumbprint
5c33b6d562ede47fec2489d32a7682e0bfb68ecde904eb2dc1c2cf1c3c396714
Data based thumbprint
fdbd40f805606908af0450ce42e7a30eb990627335f12cf0a8de3aa69a25431e

It looks like Microsoft Edge is trying to write in a registry key so that it will launch upon user log-on. 

Intercept X is detecting this registry write as a potentially malicious operation and chooses to block it. If you'd like to allow the operation, it's possible to create an exclusion for this behavior. 

I was able to locate a similar thread here: https://community.sophos.com/sophos-labs/f/discussions/114023/exploit

The goal of this operation is to allow Edge to start up faster on a device. Doing some further searching I was able to find the following options, which may help to prevent this behavior from taking place.
-  (Settings and more) > Settings > System > Start-up boost and Continue running background apps when Microsoft Edge is closed. 

Considering Edge is a Chromium-based browser, I do believe both links will be relevant to what is being detected.

Let me know if this helps.

Hello Qoosh,

I havent seen the behaviour since I changed the settings.

Thanks!