'Lockdown' exploit prevented in Pick an app

flygen Hello Alan,

When troubleshooting XYZ exploit prevented, the most important part is to check:

1) scope - is it on 1 system or multiple for this software

2) if the software itself was acquired directly from the trusted vendor (as opposed to a 3rd party download site, etc.). If the software and vendor are trusted, then you can choose to add an exclusion for Exploit mitigation for that software by ThumbprintID (safer. you can do that by pressing DETAILS across detection even in the EVENTS tab of the endpoint in Central dashboard) or by full path to the executable - a lot less safe and generally should be used only if Thumbprint ID changes for each detection. You can do that by going to Global settings -> global exclusions -> add exploit mitigation (Windows) -> app not listed -> enter full path to the executable.

For some specific software you might need to exclude it from exploit monitoring, but in this case I would not recommend it as it's a part of Windows (Pick an App  aka openwith.exe) 

 Do you see a lot of entries to Pick an app in the task manager for that machine?

 How often those detections happen?

Can you re-create the issue on command?

Does the issue with Sophos exploit mitigation messages stop happening after machine reboot? Does the issue come back eventually? 

I found this discussion on Microsoft forum about a customer having lots of Pick an app entires that might be helpful https://answers.microsoft.com/en-us/windows/forum/all/pick-an-app-process-flood-openwithexe/fe1fd262-d94b-4356-b390-b3ea9d3177da

In this case Sophos detects that app doing suspicious actions, so if you don't have Pick an App process flood, and looking at Sophos detections you see the same Thubprint ID then you can choose to exclude it. If something still doesn't work at that point you can troubleshoot it not as Sophos issue but something happening with OS itself.

Hope that helps! Please let me know if you have any further questions!

flygen Hello Alan,

When troubleshooting XYZ exploit prevented, the most important part is to check:

1) scope - is it on 1 system or multiple for this software

2) if the software itself was acquired directly from the trusted vendor (as opposed to a 3rd party download site, etc.). If the software and vendor are trusted, then you can choose to add an exclusion for Exploit mitigation for that software by ThumbprintID (safer. you can do that by pressing DETAILS across detection even in the EVENTS tab of the endpoint in Central dashboard) or by full path to the executable - a lot less safe and generally should be used only if Thumbprint ID changes for each detection. You can do that by going to Global settings -> global exclusions -> add exploit mitigation (Windows) -> app not listed -> enter full path to the executable.

For some specific software you might need to exclude it from exploit monitoring, but in this case I would not recommend it as it's a part of Windows (Pick an App  aka openwith.exe) 

 Do you see a lot of entries to Pick an app in the task manager for that machine?

 How often those detections happen?

Can you re-create the issue on command?

Does the issue with Sophos exploit mitigation messages stop happening after machine reboot? Does the issue come back eventually? 

I found this discussion on Microsoft forum about a customer having lots of Pick an app entires that might be helpful https://answers.microsoft.com/en-us/windows/forum/all/pick-an-app-process-flood-openwithexe/fe1fd262-d94b-4356-b390-b3ea9d3177da

In this case Sophos detects that app doing suspicious actions, so if you don't have Pick an App process flood, and looking at Sophos detections you see the same Thubprint ID then you can choose to exclude it. If something still doesn't work at that point you can troubleshoot it not as Sophos issue but something happening with OS itself.

Hope that helps! Please let me know if you have any further questions!