Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 15 subscribers
  • Views 49689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

'Lockdown' exploit prevented in Internet Explorer

Roger Gorka

While viewing a report generated from a website the user right-clicks the report and chooses Export to Excel at which point Sophos rides to the rescue and prevents the action from taking place with the following message - 'Lockdown' exploit prevented in Internet Explorer

Where can I set an exception to prevent Sophos from stopping legitimate actions.

I've set an Exploit Mitigation Exclusion for Internet Explorer along with an Override on the website URL. Neither resolved the issue.

Thanks,

Roger



This thread was automatically locked due to age.
Parents
  • 0

    Can you post the event log entry for the event?  App Event log - 911 - Does it have a thumbprint?  Is it the same each time?

    If so under:

    https://cloud.sophos.com/manage/config/settings/scanning-exclusions

    (or the user policy)

    You can set the Type as detected exploits and you should see the alert.

    Regards,

    Jak

  • 0 in reply to jak

    Jak, thank you for the response.

    From the Sophos event log this is all I have - 

    Aug 9, 2017 8:39 AM 'Lockdown' exploit prevented in Internet Explorer
    Aug 9, 2017 8:27 AM Update succeeded
    Aug 9, 2017 8:26 AM 'Lockdown' exploit prevented in Internet Explorer
    Aug 9, 2017 8:11 AM 'Lockdown' exploit prevented in Internet Explorer
    Aug 9, 2017 8:10 AM 'Lockdown' exploit prevented in Internet Explorer
    Aug 9, 2017 8:08 AM 'Lockdown' exploit prevented in Internet Explorer
    Aug 9, 2017 8:04 AM 'Lockdown' exploit prevented in Internet Explorer

    I have not identified a thumbprint. 

    I am not able to troubleshoot this further as the Internet access at that site is down at this time.

  • 0 in reply to Roger Gorka

    It would need to be the Application Event log on the client that has the verbose details -  eventvwr.

    That said, do you see the Lockdown alert under:
    https://cloud.sophos.com/manage/config/settings/scanning-exclusions

    When you click "Add Exclusion" and then "Detected Exploits (Windows)"?  

    Is there is an entry in there it would have a thumbprint as that's what is sent down to the client to make the exclusion.  I'd be interested to know if the thumbprint is the same for each detection.

  • 0 in reply to jak

    Jak,

    Sadly, the Application Log for Sophos was not enabled, so I have nothing to report.

    I was able to circumvent Sophos' interference by disabling Web Control and Exploit Mitigation at the client. Now this morning with logging enabled and re-enabling the previous mentioned controls I cannot recreate the "problem".

    Thank you for your assistance in this matter.

    Roger

Reply
  • 0 in reply to jak

    Jak,

    Sadly, the Application Log for Sophos was not enabled, so I have nothing to report.

    I was able to circumvent Sophos' interference by disabling Web Control and Exploit Mitigation at the client. Now this morning with logging enabled and re-enabling the previous mentioned controls I cannot recreate the "problem".

    Thank you for your assistance in this matter.

    Roger

Children
No Data
Unfiltered HTML