Hello @all,
I have a small problem regarding InterceptX Endpoint on some of my PCs in a branch office.
As soon as I start Microsoft Edge the Endpoint Protection delivers a notification saying there has been a 'Lockdown Exploit' in Edge.
However after a few minutes I get a notification in my central saying there was nothing to delete in the path of MS Edge.
Do you have any suggestions on how to handle this?
Hello quasar,
Thank you for reaching out to the Sophos Community.
An initial step you can try is deploying the "Hotfix Package" for Intercept X onto the affected device.
If this still does not work, I'd recommend creating a new "Threat Protection policy" to be applied to the affected device. Within the new policy, you can try turning off certain protection features under "Runtime Protection", specifically "Protect web browsers" to see if you can find a usable configuration that will allow the app to work. This can be used as a work-around for the time being.
Can you check the Windows Application Event Viewer and filter by Event ID 911? If you're able to find an entry that corresponds with the lockdown detection, please paste the contents of the log entry here.
It looks like Microsoft Edge is trying to write in a registry key so that it will launch upon user log-on.
Intercept X is detecting this registry write as a potentially malicious operation and chooses to block it. If you'd like to allow the operation, it's possible to create an exclusion for this behavior.
I was able to locate a similar thread here: https://community.sophos.com/sophos-labs/f/discussions/114023/exploit
The goal of this operation is to allow Edge to start up faster on a device. Doing some further searching I was able to find the following options, which may help to prevent this behavior from taking place.
- (Settings and more) > Settings > System > Start-up boost and Continue running background apps when Microsoft Edge is closed.
Considering Edge is a Chromium-based browser, I do believe both links will be relevant to what is being detected.
Let me know if this helps.
Quote