I have a small problem regarding InterceptX Endpoint on some of my PCs in a branch office.
As soon as I start Microsoft Edge the Endpoint Protection delivers a notification saying there has been a 'Lockdown Exploit' in Edge.
However after a few minutes I get a notification in my central saying there was nothing to delete in the path of MS Edge.
Do you have any suggestions on how to handle this?
had the same problem, Sophos is currently investigating. This occurs when Microsft Edge is set as a default browser and on Edge version 93.0.961.38. Open a support case so the Sophos Support…
Thank you for reaching out to the Sophos Community.
An initial step you can try is deploying the "Hotfix Package" for Intercept X onto the affected device.
If this still does not work, I'd recommend creating a new "Threat Protection policy" to be applied to the affected device. Within the new policy, you can try turning off certain protection features under "Runtime Protection", specifically "Protect web browsers" to see if you can find a usable configuration that will allow the app to work. This can be used as a work-around for the time being.
Can you check the Windows Application Event Viewer and filter by Event ID 911? If you're able to find an entry that corresponds with the lockdown detection, please paste the contents of the log entry here.
I found a entry regarding PID 911.
Mitigation LockdownTimestamp 2021-11-09T15:10:13Platform 10.0.19043/x64 v523 06_9e-PID 14044Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCreated 2021-05-22T11:10:56Modified 2021-11-04T08:54:54Description Microsoft Edge 95Operation SetValueKeyKey \REGISTRY\USER\S-1-5-21-291532225-531189968-1237804090-12199\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Value Name MicrosoftEdgeAutoLaunch_35F8F3346C021A489FDBFF14FD72277CValue "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5Process Trace1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:52 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:53 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:54 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window /prefetch:55 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default6 C:\Windows\explorer.exe 7 C:\Windows\System32\userinit.exe 8 C:\Windows\System32\winlogon.exe winlogon.exe9 C:\Windows\System32\smss.exe \SystemRoot\System32\smss.exe 00000198 00000084 10 C:\Windows\System32\smss.exe \SystemRoot\System32\smss.exeThumbprint5c33b6d562ede47fec2489d32a7682e0bfb68ecde904eb2dc1c2cf1c3c396714Data based thumbprintfdbd40f805606908af0450ce42e7a30eb990627335f12cf0a8de3aa69a25431e
It looks like Microsoft Edge is trying to write in a registry key so that it will launch upon user log-on.
Intercept X is detecting this registry write as a potentially malicious operation and chooses to block it. If you'd like to allow the operation, it's possible to create an exclusion for this behavior.
I was able to locate a similar thread here: https://community.sophos.com/sophos-labs/f/discussions/114023/exploit
The goal of this operation is to allow Edge to start up faster on a device. Doing some further searching I was able to find the following options, which may help to prevent this behavior from taking place.- (Settings and more) > Settings > System > Start-up boost and Continue running background apps when Microsoft Edge is closed.
Considering Edge is a Chromium-based browser, I do believe both links will be relevant to what is being detected.
Let me know if this helps.
I havent seen the behaviour since I changed the settings.