Hi,
I cannot really imagine why this is happening:
we're having a server 2016 with Sophos Lockdown. on that server there is a folder shared to users. Users have full share permissions and R/W NTFS permissions.
On that share there are some executables. The client users run some of those .exe's directly from the share that they're accessing.
Now we have the real strange situation:
lets say from out of 10 users 5 users cannot access the executables when we put the server in lockdown in Sophos Central. On the clients there is also Intercept-X installed.
what we've seen for the users where it does'nt work anymore:
- they can see the .exe files but no longer the file icon, it just appears as generic exe file
- they cannot read the NTFS permission only of the .exe files - all other files in that share are OK
- they cannot run the .exe files
As soon as we disable lockdown and the server shows "unlocked" - the users see the icon on the .exe's, can read the permissions and run the program.
If we lock the server again, the issue immediately starts to happen again.
From my question asked here, this should work:
SLD logs reporting the block: "File delete blocked due to no write permissions"
of course, the users are not trying to delete the file, they want to run it.
<EventList> <Event event_id="2003" event_time="1639726438940" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438940" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438955" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438971" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Update.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Update.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438971" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438987" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726438987" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726439002" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726439002" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Update.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Update.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event> <Event event_id="2003" event_time="1639726439002" ip_address="172.16.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="System" parent_process_file_name="System" target_file_name="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_path="\Device\HarddiskVolume5\ProfiCash\Profi cash Error Reporting.exe" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event></EventList><?sha1 0DD068889CDCD3C08CCF4DF01A2B605D5260B434?><?sha1-content-size 6351?>
Server Intercept-X components:
Error on the client when running the exe from lockdown'ed server:
This thread was automatically locked due to age.