Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
This article lists the known issues were identified on Intercept X / Exploit Prevention.
The following sections are covered:
Applies to the following Sophos products and versions
Central Intercept X 11.5.4Sophos Exploit Protection
Note: Any infections that are still present on the computer will trigger a new Event and Alert in Sophos Central.
While Intercept X will install and work alongside 3rd party products, some products will fail to install if they detect Intercept X on the computer. We recommend installing Intercept X after the 3rd party product to prevent this situation.
Both Intercept X / Exploit Prevention and Microsoft Enhanced Mitigation Experience Toolkit (EMET) help prevent vulnerabilities in installed software from being exploited by malware and malicious processes. This is achieved with the help of security mitigation technologies, which function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. Due to the way that both solutions work, they cannot run alongside each other. You may see BSoD or unexplained application crashes if both products are installed.
If enabled, applications will fail to install or open or you will experience general slowness, commonly with the error The application was unable to start correctly. Due the way both solutions work, they cannot run alongside each other.
Under certain circumstances the user is prompted to start the Kaspersky Advanced Disinfection Procedure and is warned that the computer will need to be restarted during the disinfection. If the user agrees, the system is switched into a special restricted operation mode. New programs are blocked from starting and registry changes are prohibited.
In this mode Intercept X / Exploit Prevention can be blocked from performing specific actions until the computer is restarted.
McAfee Endpoint Security 10 prevents unknown DLLs (those unsigned by McAfee) from being loaded within its own processes. This means that Intercept X / Exploit Prevention cannot protect McAfee products from exploits.
On Windows7 32-bit, BitDefender blocks the execution of Sophos Clean. It will be blocked by behavioral blocker as a potentially harmful application.
Both Intercept X / Exploit Prevention and Palo Alto Traps protect against exploit mitigation, so cannot be installed on the same computer.
Running Intercept X / Exploit Prevention Alongside Conigura Open CET Designer can cause issues with CET designer functioning. Sophos would recommend uninstalling Intercept X / Exploit Prevention if there is a requirement to use CET designer.
Running Intercept X / Exploit Prevention alongside Jaws PDF Editor can cause issues with Jaws PDF Editor functioning. Sophos would recommend moving to an alternative product for your PDF requirements or uninstalling Intercept X / Exploit Prevention if there is a requirement to use Jaws PDF Editor.
Running Intercept X / Exploit Prevention alongside the installation of Geovision Control Center can cause Cryptoguard alerts to appear and the installation to fail. Sophos recommends you disable Intercept X / Exploit Prevention during the installation of Geovision Control Center and then re-enable Intercept X / Exploit Prevention following the successful installation
Due to potential conflicts, we do not recommend running Intercept X / Exploit Prevention and Trusteer Rapport on the same computer. In situations where you have a requirement to run both products you will need to disable the following policy setting:
Intercept X / Exploit Prevention and Forcepoint products will currently display unwanted behavior when installed on the same computer. Both product sets require an update to the following versions to ensure compatibility:
During shutdown, a computer with both DeviceLock and Sophos Intercept X / Exploit prevention will get caught in a loop until a BSoD occurs. DeviceLock must be uninstalled to prevent the BSoD.
Due to the process used by Kaspersky File Shredder, the action will trigger a ransomware detection. Kaspersky will report that it has successfully deleted the requested files, even though they are still present. Once the process is blocked, any further attempts to shred files fail, although Kaspersky will report it has successfully deleted the files.
To allow Kaspersky File Shredder to run, it can be excluded from Sophos Intercept X / Exploit Prevention ransomware detections.
Currently Wipeguard is not fully compatible with VeraCrypt due to the way that VeraCrypt calls its encryption driver - this can cause installations of VeraCrypt encryption to fail. Sophos are looking to improve this in a future release.
In the interim we would recommend that the customer disabled WipeGuard during the installation process of the Encryption. Once the Encryption is installed the customer should be able to re-enable WipeGuard for normal day-to-day
Ladibug.exe keeps crashing with Sophos Intercept X being installed on the same system.A workaround for certain scenarios is available. Please contact support to get more information.
Cisco AMP for Endpoints includes an exploit prevention feature, which monitors 32-bit versions of Microsoft Office and other common applications. This can cause compatibility issues with Sophos Intercept X.
If the endpoint is generating a SysCall exploit prevented in <PRODUCT> event when the end users opens a MS office application this may be caused by an incompatibility with Cisco AMP for Endpoint 6.0.5 or above.
Event Message as seen in Central:
Turning off the anti-exploit feature of CiscoAmp for endpoint will resolve the issue.
The below steps explain how to disable AMP for Endpoints’ exploit prevention feature:
Note: When running just Cisco Amp for Endpoint with anti-exploit enabled we have found that it does not appear to detect the following exploit techniques:
The Quest Change Auditor Agent service will start and then stop incorrectly on machines that are protected by Sophos Intercept X or Exploit prevention if the "protect against Credential Theft" policy option is enabled. To continue to use these products alongside each other please disable the "protect against Credential Theft" policy option.
As Intercept X and the Invincea standalone product contain similar underlying functionality, they cannot co-exist. Please note that Dell Protected Workspace/Dell Data Protection is the Dell branded version of Invincea, so it will need to be removed.
See Sophos Central Endpoint: This installer is not compatible with Invincea for more information.
In Windows 8 upwards, a shutdown and restart are different. When you select Shutdown, the computer does not shut down but goes into a hibernate mode. When you select Restart, all drivers and configuration are reloaded and the restart request is cleared. See Delivering fast boot times in Windows 8.
For further information see, SafeGuard Enterprise / Sophos Central compatibility improvements.
This issue occurs on computers not joined to a domain. Investigation has shown to be a possible Microsoft issue. A reboot may resolve the issue. The following two options will also prevent the issue from occurring:
Sophos Clean locks down the registry following a cleanup operation until the computer is restarted. This can prevent applications from installing/uninstalling. To resolve this, make sure to restart the computer following a detection and cleanup.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.