We've recently updated to Endpoint and have an unusual issue with one of our users recently migrated to Win10 and Endpoint. Whenever they attempt to launch Volunteer Reporter by Volsoft it is blocked by Sophos. I am awaiting a local screenshot from our tech dealing with issue directly. Whenever I pull the Endpoint report for that machine the only event relatable to the incident is " Access was blocked to "">http://iyfbodn.com/px.js?ch=2" because of "Mal∕HTMLGen-A"." We have run a manual update as well as scans with no malware or virus found or indicated. The tech contacted Volsoft and received the following...
"Subject: Volsoft Sophos Issue
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Sophos has been an ongoing and random problem for us. This is due to Sophos AV blocking our files without warning or logs. You will also notice that Sophos will continue to block our program files even after the client is disengaged on the user’s PC. The only way to prove that Sophos is the problem is to completely uninstall it from the PC and attempt to open The Reporter. You will notice that The Reporter will open without issue after uninstalling (you will need to use the Sophos cleanup tool https://support.sophos.com). The Sophos client must be uninstalled, exceptions added to the administrative console on the server, then re-installed on the user’s PC. We have been dealing with this issue for over 3 years, but Sophos will not whitelist our files because we are not Sophos customers.
If the following exceptions are added to Sophos and you are still having problems, you must contact Sophos with the issue.
Add exceptions for the following files and/or folders:
File extensions:
.DBF
.DBT
.MDX
Files with these extensions are located in the Data Set folder on the network share.
Files:
PLUSRUN.EXE (must be all caps)
Reporter.exe
Reporter.dll
These files are located in “C:\Program Files (x86)\Volunteer Software\Reporter\Program” on the client/workstation.
Folders (if you choose to add full folders):
64-bit PCs: C:\Program Files (x86)\Volunteer Software\Reporter\Program
32-bit PCs: C:\Program Files\Volunteer Software\Reporter\Program
64-bit PCs: C:\Program Files (x86)\ Reporter\Program
32-bit PCs: C:\Program Files\ Reporter\Program
We have also received the following information about adding PLUSRUN.EXE to Sophos Admin Console:
- Login to Sophos Central
- Global Settings
- Global Exclusions
- Add Exclusion
- Exclusion Type : Exploit Mitigation (Windows)
- Scroll down to "Application not listed?"
- Give the whole path of application (C:\Program Files (x86)\Volunteer Software\Reporter\Program\PLUSRUN.EXE) [must be all CAPS]
- Click on Add
- Save
Please let me know if you need any assistance or further explanation of these issues."
So we've got some finger pointing here but hopefully the community here has either some experience or insight with this issue.
Thank you!
This thread was automatically locked due to age.