Malicious behavior ('Lockdown') prevented


recently we've had multiple issues that Intercept X prevented installation or execution of software because it suposedly prevented "Lockdown".

It likes to block our remote maintainance software because of this, and today I was unable to install Datev on a client's PC for the same reason. In this case it wa "Malicious behavior ('Lockdown') prevented in Windows Command Processor" (so apparently the installer tried to access the CMD and that was blocked).

I turned off the manipulation protection and switched off all the toggles in the Settings. Didn't help. I also ticked the box to ignore this detection in Sophos Central, and it still didn't work (although maybe giving it 5 minutes to synchronize wasn't enough, but I ran out of time).

The strange thing is, on an identical PC, same network, same Intercept X, it worked, no issue. Didn't even have to turn anything off.

What can I do about this?

Added Tags
[edited by: GlennSen at 10:11 AM (GMT -7) on 3 Jul 2024]
  • Hi  ,

    Good day.

    Thanks for reaching out to the Sophos Community Forum.  

    Sophos Intercept X provides protection against malicious scripts and code delivered by common infection vectors, including, but not limited to the following:

    Web Browsers, Office Applications, Email Clients

    Any behavior of this nature detected by Sophos Intercept X is flagged as a Lockdown exploit detection, and the offending process will be terminated.

    Some customers have encountered occasions where applications they consider trusted or legitimate have raised Lockdown exploit detections. These include but are not limited to the following:

    Web applications, Browser plugins, Office plugins, Email client plugins, Java-based applications

    Refer this article for more information on this detection event.

    In your case, try to install the hotfix on the affected machine and check if that resolves the issue. The Sophos Central Intercept X Maintenance Release is the latest available version of the HitmanPro.Alert module, which provides Exploit Mitigation and Ransomware Protection functionality. Please refer to the sections below for the hotfix installation from this document
    1. Adding the Maintenance Release to the list of available software packages
    2. Deploying the software package using an Update Management policy

    If the hotfix deployment did not resolve the issue and you are sure that this is a false positive one, then you could try the below exclusion steps to prevent this detection further:

    Method 1:

    1. Go to Devices > Computers or Servers, depending on where the application was detected.
    2. Find the computer where the detection happened and click it to view its details.
    3. On the Events tab find the detection event, and click Details.
    4. In Event details, look for Don't detect this again and select an option:

      • Exclude this Detection ID from checking. 
        • This method will only work if the DetectionID or Thumbprint never changes. 
        • This requires the behavior to be identical every time, with all file names and paths being the same. Any variation in the file name, file path, or application name will create a new DetectionID or Thumbprint.

    Method 2:

    1. Go to My Products > Endpoint or Server.
    2. In Policies, find the Threat Protection policy that applies to the devices.
    3. Under Settings, find Exclusions and click Add Exclusion.
    4. In the Exclusion Type box, select Detected Exploits (Windows/Mac).
    5. Select the exploit and click Add.
    6. Check that the policy is assigned to the appropriate users and devices.

    For more information, see Sophos Central Admin: Stop detecting an exploit 

    Sophos Digital Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids