Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 15 subscribers
  • Views 94 views
  • Users 0 members are here
Options
Suggested

Battle.net Cannot Launch Any Game

JD Jankowski

Good day,

With Sophos Endpoint Protection Intercept X with XDR endpoint installed I cannot launch any application within Battle.net including games and editors.

If I disable "Exploit Mitigation" and "Ransomware Detection" everything launches successfully so this is a problem with the Sophos Endpoint.

Running things in this mode is not a solution and there are 0 detections when launching any game or app from Battle.net, they just don't work and there is no evidence Sophos Endpoint is blocking them but disabling the above resolves it so clearly this is a Sophos issue. I found an old post of this happening a few months ago and some saying it worked (but the directions can no longer be followed so it isn't a solution either) while others said it didn't, perhaps because it was too long after the post for the same process to work for them.

There is no way to add exclusions with nothing being detected so I am unsure how to proceed with resolving this and very importantly, why doesn't the endpoint provide any kind of notification or information about blocking a process when it is breaking launchers and applications.

Currently running versions are below for reference.
Core Agent: 2024.2.4.1.0
Intercept X: 2024.1.2.1.0

Assistance would be appreciated.

Parents
  • 0

    Is it just an incompatibility or is there some sort of event logged?  When you launch the game and it fails, is there anything logged to the Application Event log with the ID 911? Thanks.

  • 0 in reply to Sophos User930

    It sounds like it would be more likely to be Exploit Mitigation. 

    If you have a 64-bit process such as: 

    C:\Program Files (x86)\Call of Duty\_retail_\cod.exe

    When it is created, the hmpalert.sys driver will inject the C:\windows\system32\hmpalert.dll into it for exploit mitigation.

    I would be interested to know if the hmpalert.dll wasn't loaded into it if it would work?

    If you have access to Central, you can add an exclusion of type:

    Exploit Mitigation And Activity Monitoring (Windows)

    For the path C:\Program Files (x86)\Call of Duty\_retail_\cod.exe and turn off mitigations as shown below:


    One the client gets the policy, under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert\Config

    The multi_sz vallue PolicyInjectionExclusions will contain the path. 

    On the next launch the hmpalert.dll will not get injected into that process.

    I suppose as a test, if Tamper Protection is disabled, if you rename C:\windows\system32\hmaplert.dll and then launch does it work?


    HTH.

Reply
  • 0 in reply to Sophos User930

    It sounds like it would be more likely to be Exploit Mitigation. 

    If you have a 64-bit process such as: 

    C:\Program Files (x86)\Call of Duty\_retail_\cod.exe

    When it is created, the hmpalert.sys driver will inject the C:\windows\system32\hmpalert.dll into it for exploit mitigation.

    I would be interested to know if the hmpalert.dll wasn't loaded into it if it would work?

    If you have access to Central, you can add an exclusion of type:

    Exploit Mitigation And Activity Monitoring (Windows)

    For the path C:\Program Files (x86)\Call of Duty\_retail_\cod.exe and turn off mitigations as shown below:


    One the client gets the policy, under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert\Config

    The multi_sz vallue PolicyInjectionExclusions will contain the path. 

    On the next launch the hmpalert.dll will not get injected into that process.

    I suppose as a test, if Tamper Protection is disabled, if you rename C:\windows\system32\hmaplert.dll and then launch does it work?


    HTH.

Children
No Data
Unfiltered HTML