This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

'Lockdown' exploit prevented in Pick an app

We are seeing a lot of these prevented (400+).

Thumbprint 360f7a07529d23856076fa4eacb505fd73e9dc84269b63ee1f8e11c67008e6d9

How do I find what is causing this to remediate?

"Pick an app" is a built in Windows service, is it likely to be related to the version of Windows we are running?

Has anyone else seen this, how did you handle it?

Thanks


Alan



This thread was automatically locked due to age.
Parents
  • Hello Alan,

    When troubleshooting XYZ exploit prevented, the most important part is to check:

    1) scope - is it on 1 system or multiple for this software

    2) if the software itself was acquired directly from the trusted vendor (as opposed to a 3rd party download site, etc.). If the software and vendor are trusted, then you can choose to add an exclusion for Exploit mitigation for that software by ThumbprintID (safer. you can do that by pressing DETAILS across detection even in the EVENTS tab of the endpoint in Central dashboard) or by full path to the executable - a lot less safe and generally should be used only if Thumbprint ID changes for each detection. You can do that by going to Global settings -> global exclusions -> add exploit mitigation (Windows) -> app not listed -> enter full path to the executable.

    For some specific software you might need to exclude it from exploit monitoring, but in this case I would not recommend it as it's a part of Windows (Pick an App  aka openwith.exe) 

     Do you see a lot of entries to Pick an app in the task manager for that machine?

     How often those detections happen?

    Can you re-create the issue on command?

    Does the issue with Sophos exploit mitigation messages stop happening after machine reboot? Does the issue come back eventually? 

    I found this discussion on Microsoft forum about a customer having lots of Pick an app entires that might be helpful https://answers.microsoft.com/en-us/windows/forum/all/pick-an-app-process-flood-openwithexe/fe1fd262-d94b-4356-b390-b3ea9d3177da

    In this case Sophos detects that app doing suspicious actions, so if you don't have Pick an App process flood, and looking at Sophos detections you see the same Thubprint ID then you can choose to exclude it. If something still doesn't work at that point you can troubleshoot it not as Sophos issue but something happening with OS itself.

    Hope that helps! Please let me know if you have any further questions!

Reply
  • Hello Alan,

    When troubleshooting XYZ exploit prevented, the most important part is to check:

    1) scope - is it on 1 system or multiple for this software

    2) if the software itself was acquired directly from the trusted vendor (as opposed to a 3rd party download site, etc.). If the software and vendor are trusted, then you can choose to add an exclusion for Exploit mitigation for that software by ThumbprintID (safer. you can do that by pressing DETAILS across detection even in the EVENTS tab of the endpoint in Central dashboard) or by full path to the executable - a lot less safe and generally should be used only if Thumbprint ID changes for each detection. You can do that by going to Global settings -> global exclusions -> add exploit mitigation (Windows) -> app not listed -> enter full path to the executable.

    For some specific software you might need to exclude it from exploit monitoring, but in this case I would not recommend it as it's a part of Windows (Pick an App  aka openwith.exe) 

     Do you see a lot of entries to Pick an app in the task manager for that machine?

     How often those detections happen?

    Can you re-create the issue on command?

    Does the issue with Sophos exploit mitigation messages stop happening after machine reboot? Does the issue come back eventually? 

    I found this discussion on Microsoft forum about a customer having lots of Pick an app entires that might be helpful https://answers.microsoft.com/en-us/windows/forum/all/pick-an-app-process-flood-openwithexe/fe1fd262-d94b-4356-b390-b3ea9d3177da

    In this case Sophos detects that app doing suspicious actions, so if you don't have Pick an App process flood, and looking at Sophos detections you see the same Thubprint ID then you can choose to exclude it. If something still doesn't work at that point you can troubleshoot it not as Sophos issue but something happening with OS itself.

    Hope that helps! Please let me know if you have any further questions!

Children
No Data