Sophos blocking "iLok" licensing application

Hi Josh,

Thanks for reaching out to the Sophos Community Forum.

When you populate an Exploit Mitigation Exclusion, the exclusion UI looks for the specific executable you want to exclude. If you've entered your exclusion leaving it open-ended with no executable specified, it will not work. 

I'd suggest trying something like this: "C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe"

Are you seeing any detections or warnings raised from Sophos when these issues occur, or is the issue only evident in iLok?

Hi Josh,

Thanks for reaching out to the Sophos Community Forum.

When you populate an Exploit Mitigation Exclusion, the exclusion UI looks for the specific executable you want to exclude. If you've entered your exclusion leaving it open-ended with no executable specified, it will not work. 

I'd suggest trying something like this: "C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe"

Are you seeing any detections or warnings raised from Sophos when these issues occur, or is the issue only evident in iLok?

We aren't seeing any detections in the Sophos client or in Central, unless exploits would be in a different window somewhere? We only ever get the message above, and then when we turn off exploit mitigation it works within 30 seconds.

Additionally, should I leave the quotes in for paths to executables like you show above?  I am always confused whether I should use quotes or no quotes.  I appreciate this help! 

Detections would be shown both locally on the endpoint and on the Events page in Sophos Central, though it sounds like nothing is being detected. 

The quotations should not be included when entering the filepath in the exclusion UI. 

I am beginning to wonder if turning off exploit mitigation wasn't the fix and it coincidentally was working after.  I am still having trouble despite putting in several exclusions for the program. 

If you haven't already, it may be best to open a support case related to your issue. If you'd like to perform some additional troubleshooting, I'd suggest checking the "Scenario not Listed"  section in the following Techvid. 
- Sophos Endpoint: Endpoint Self Help Product Analysis Tool

You can also try the "Manual Troubleshoot" option for more granular control over which features are enabled/disabled, though this is also Something Sophos Support can assist with over the phone.

I did open a ticket and with the help of some awesome support techs we were able to add an exclusion to the policy for the iLok app and the associated service.  This exclusion was added to the correct policies and it fixed the issue with iLok. Thanks everyone!