Battle.net Cannot Launch Any Game

Good day,

With Sophos Endpoint Protection Intercept X with XDR endpoint installed I cannot launch any application within Battle.net including games and editors.

If I disable "Exploit Mitigation" and "Ransomware Detection" everything launches successfully so this is a problem with the Sophos Endpoint.

Running things in this mode is not a solution and there are 0 detections when launching any game or app from Battle.net, they just don't work and there is no evidence Sophos Endpoint is blocking them but disabling the above resolves it so clearly this is a Sophos issue. I found an old post of this happening a few months ago and some saying it worked (but the directions can no longer be followed so it isn't a solution either) while others said it didn't, perhaps because it was too long after the post for the same process to work for them.

There is no way to add exclusions with nothing being detected so I am unsure how to proceed with resolving this and very importantly, why doesn't the endpoint provide any kind of notification or information about blocking a process when it is breaking launchers and applications.

Currently running versions are below for reference.
Core Agent: 2024.2.4.1.0
Intercept X: 2024.1.2.1.0

Assistance would be appreciated.

Parents
  • Is it just an incompatibility or is there some sort of event logged?  When you launch the game and it fails, is there anything logged to the Application Event log with the ID 911? Thanks.

  • It sounds like it would be more likely to be Exploit Mitigation. 

    If you have a 64-bit process such as: 

    C:\Program Files (x86)\Call of Duty\_retail_\cod.exe

    When it is created, the hmpalert.sys driver will inject the C:\windows\system32\hmpalert.dll into it for exploit mitigation.

    I would be interested to know if the hmpalert.dll wasn't loaded into it if it would work?

    If you have access to Central, you can add an exclusion of type:

    Exploit Mitigation And Activity Monitoring (Windows)

    For the path C:\Program Files (x86)\Call of Duty\_retail_\cod.exe and turn off mitigations as shown below:


    One the client gets the policy, under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert\Config

    The multi_sz vallue PolicyInjectionExclusions will contain the path. 

    On the next launch the hmpalert.dll will not get injected into that process.

    I suppose as a test, if Tamper Protection is disabled, if you rename C:\windows\system32\hmaplert.dll and then launch does it work?


    HTH.

  • Good day once again, I was able to complete the above steps and it fully resolved the issue by adding both of the below paths to the exclusion list for Exploit Mitigation.

    C:\Program Files (x86)\StarCraft II\Support64\SC2Switcher_x64.exe
    C:\Program Files (x86)\StarCraft II\Versions\Base93333\SC2_x64.exe

    The actual x64 executable may move based on the version but now at least I have a solution and means to update it as needed as I don't want to use wildcards at this point.

    Thank you very much for the assistance and I hope this can assist others who may have a similar issue.

Reply
  • Good day once again, I was able to complete the above steps and it fully resolved the issue by adding both of the below paths to the exclusion list for Exploit Mitigation.

    C:\Program Files (x86)\StarCraft II\Support64\SC2Switcher_x64.exe
    C:\Program Files (x86)\StarCraft II\Versions\Base93333\SC2_x64.exe

    The actual x64 executable may move based on the version but now at least I have a solution and means to update it as needed as I don't want to use wildcards at this point.

    Thank you very much for the assistance and I hope this can assist others who may have a similar issue.

Children
No Data