Lockdown Microsoft Edge

Hello @all,

I have a small problem regarding InterceptX Endpoint on some of my PCs in a branch office.

As soon as I start Microsoft Edge the Endpoint Protection delivers a notification saying there has been a 'Lockdown Exploit' in Edge.

However after a few minutes I get a notification in my central saying there was nothing to delete in the path of MS Edge.

Do you have any suggestions on how to handle this?

Parents
  • Hello quasar,

    Thank you for reaching out to the Sophos Community. 

    An initial step you can try is deploying the "Hotfix Package" for Intercept X onto the affected device. 

    If this still does not work, I'd recommend creating a new "Threat Protection policy" to be applied to the affected device. Within the new policy, you can try turning off certain protection features under "Runtime Protection", specifically "Protect web browsers" to see if you can find a usable configuration that will allow the app to work. This can be used as a work-around for the time being. 

    Can you check the Windows Application Event Viewer and filter by Event ID 911? If you're able to find an entry that corresponds with the lockdown detection, please paste the contents of the log entry here. 

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello Qoosh,

    I found a entry regarding PID 911.

    Mitigation   Lockdown
    Timestamp    2021-11-09T15:10:13

    Platform     10.0.19043/x64 v523 06_9e-
    PID          14044
    Application  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Created      2021-05-22T11:10:56
    Modified     2021-11-04T08:54:54
    Description  Microsoft Edge 95

    Operation    SetValueKey
    Key          \REGISTRY\USER\S-1-5-21-291532225-531189968-1237804090-12199\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Value Name   MicrosoftEdgeAutoLaunch_35F8F3346C021A489FDBFF14FD72277C
    Value        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

    Process Trace
    1  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [14044]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
    2  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8100]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
    3  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [13216]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
    4  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [12884]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:5
    5  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [13112]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    6  C:\Windows\explorer.exe [2032]
    7  C:\Windows\System32\userinit.exe [4472]
    8  C:\Windows\System32\winlogon.exe [888]
    winlogon.exe
    9  C:\Windows\System32\smss.exe [732]
    \SystemRoot\System32\smss.exe 00000198 00000084
    10 C:\Windows\System32\smss.exe [572]
    \SystemRoot\System32\smss.exe

    Thumbprint
    5c33b6d562ede47fec2489d32a7682e0bfb68ecde904eb2dc1c2cf1c3c396714
    Data based thumbprint
    fdbd40f805606908af0450ce42e7a30eb990627335f12cf0a8de3aa69a25431e

  • It looks like Microsoft Edge is trying to write in a registry key so that it will launch upon user log-on. 

    Intercept X is detecting this registry write as a potentially malicious operation and chooses to block it. If you'd like to allow the operation, it's possible to create an exclusion for this behavior. 

    I was able to locate a similar thread here: https://community.sophos.com/sophos-labs/f/discussions/114023/exploit

    The goal of this operation is to allow Edge to start up faster on a device. Doing some further searching I was able to find the following options, which may help to prevent this behavior from taking place.
    (Settings and more) > Settings > System > Start-up boost and Continue running background apps when Microsoft Edge is closed. 

    Considering Edge is a Chromium-based browser, I do believe both links will be relevant to what is being detected.

    Let me know if this helps.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello Qoosh,

    I havent seen the behaviour since I changed the settings.

    Thanks!

Reply Children
No Data