Exploit APCViolation - Executables including "SophosClean.exe"

Update - We have a resolution to our issue - just taking time to mitigate some of the severe cases.

Sophos released an update that resolved this issue.  The issue was the APCMitigation engine in Hitmanpro was "tweaked".  The "tweak" didn't play nicely with VPN applications - this is how it was described to me, and from the machines that we had affected, would make sense.  Our VPN software is Netmotion if curious.

As long as the machines were still online, they received the updated "definition" from Sophos thru the updater service.  What this actually did was remove the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert APCMitigation=on".  I am still not finished with my clean up due to machines going offline - they are remote machines after all.  We did notice quite a few machines where either the VPN software or other networking related services/executables were targeted incorrectly by Sophos, that we had to touch them manually.  If this was the case, we modified the above key to "=off" per supports instructions.  NOTE - this was given as a "critical" fix from support, should not be necessary for most.

Due to the insane amount of "malicious" files it incorrectly flagged, we continued to get the message pop ups regarding Sophos stopping attacks.  Turns out Sophos was only processing the tens of thousands of back logged .json files.  We created the below script to quickly add the registry value for disabling the APCMitigation as well as deleting the back logged notification files.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert" /t REG_SZ /v APCMitigation /d off /f
del "c:\ProgramData\Sophos\Health\Event Store\Incoming\*.*" /s /q

Please let me know if you have any questions on above.

Update - We have a resolution to our issue - just taking time to mitigate some of the severe cases.

Sophos released an update that resolved this issue.  The issue was the APCMitigation engine in Hitmanpro was "tweaked".  The "tweak" didn't play nicely with VPN applications - this is how it was described to me, and from the machines that we had affected, would make sense.  Our VPN software is Netmotion if curious.

As long as the machines were still online, they received the updated "definition" from Sophos thru the updater service.  What this actually did was remove the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert APCMitigation=on".  I am still not finished with my clean up due to machines going offline - they are remote machines after all.  We did notice quite a few machines where either the VPN software or other networking related services/executables were targeted incorrectly by Sophos, that we had to touch them manually.  If this was the case, we modified the above key to "=off" per supports instructions.  NOTE - this was given as a "critical" fix from support, should not be necessary for most.

Due to the insane amount of "malicious" files it incorrectly flagged, we continued to get the message pop ups regarding Sophos stopping attacks.  Turns out Sophos was only processing the tens of thousands of back logged .json files.  We created the below script to quickly add the registry value for disabling the APCMitigation as well as deleting the back logged notification files.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert" /t REG_SZ /v APCMitigation /d off /f
del "c:\ProgramData\Sophos\Health\Event Store\Incoming\*.*" /s /q

Please let me know if you have any questions on above.