This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos blocking "iLok" licensing application

We run a small licensing application on a server, and the same client runs on student PCs in our media lab.  The application named "iLok" started failing a few weeks ago, and after some investigation it is Sophos blocking it.  We found by trial and error that If we turn off "Exploit Mitigation", iLok runs without an issue.  I added several different exploit mitigation exclusions from Sophos Central using wildcards, but the program still fails.  Any suggestions on how to locate what additional files or executables need to be excluded?

Program Information:

C:\Program Files (x86)\iLok License Manager - program directory

C:\Program Files (x86)\Common Files\PACE - service directory (service runs the following:  "C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe" -u https://activation.paceap.com/InitiateActivation)

I used wildcards for most of the exclusions, could that be the issue? For example the exploit exclusion I added: C:\Program Files (x86)\Common Files\PACE\*

Waiting on Sophos Support to assist, but wanted to see what the community thought. When it tries to run it gets the following error.  Turning off exploit mitigation it starts working correctly on every machine, including the server.



This thread was automatically locked due to age.
Parents
  • Hi Josh,

    Thanks for reaching out to the Sophos Community Forum.

    When you populate an Exploit Mitigation Exclusion, the exclusion UI looks for the specific executable you want to exclude. If you've entered your exclusion leaving it open-ended with no executable specified, it will not work. 

    I'd suggest trying something like this: "C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe"

    Are you seeing any detections or warnings raised from Sophos when these issues occur, or is the issue only evident in iLok?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • We aren't seeing any detections in the Sophos client or in Central, unless exploits would be in a different window somewhere? We only ever get the message above, and then when we turn off exploit mitigation it works within 30 seconds.

    Additionally, should I leave the quotes in for paths to executables like you show above?  I am always confused whether I should use quotes or no quotes.  I appreciate this help! 

  • Detections would be shown both locally on the endpoint and on the Events page in Sophos Central, though it sounds like nothing is being detected. 

    The quotations should not be included when entering the filepath in the exclusion UI. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I am beginning to wonder if turning off exploit mitigation wasn't the fix and it coincidentally was working after.  I am still having trouble despite putting in several exclusions for the program. 

Reply Children