Sophos Community
  • User
  • Help
  • Site
  • Search
  • User
  • All Groups
  • Knowledge Base
  • Blog
  • More
  • Cancel

Knowledge Base

  • Advisories
  • +CyberoamOS
  • +Data Control and DLP
  • Email Appliance
  • +Endpoint Security and Control
  • +Free Tools
  • +General
  • +Mobile
  • +PureMessage
  • +Reflexion
  • +SafeGuard encryption
  • +Server protection
  • +Sophos Central
  • Sophos Clean
  • Sophos Home
  • +Sophos UTM 9
  • Web Appliance
  • +XG Firewall
Tweets by @SophosSupport

APC Violation exploits detected - Jan 12th 2018.

  • Article ID: 128101
  • Updated: 18 Jan 2018
  • 2 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

[Updated 18th Jan 2018 - 13:01 UTC]

For the majority of endpoints affected by this issue it was automatically resolved on Saturday 13th Jan 2018. If you are still experiencing issues with 'APC Violation' detections which may cause computer screens to flash, please contact Sophos Support for assistance.

Please note: That while the issue may be resolved and files will no longer be getting blocked, you may have a backlog of messages (popups) that are still queued to be displayed on the endpoint. These messages can be ignored and will stop when the queue has been processed.

You can manually clear this backlog by deleting all the files in: C:\ProgramData\Sophos\Health\Event Store\Incoming

Then reboot the machine to clear any queued in memory.

Overview

Sophos is aware that a small amount of customers have reported multiple detections of 'APC Violation' exploits being detected in a variety of files, including SophosClean. 

Applies to the following Sophos product(s) and version(s)

Sophos Intercept X

Impact

Legitimate applications being detected causing some applications to crash. 

Current status

Sophos has confirmed the detections are an incorrect detection (not malicious). A fix for this is has been confirmed and is being rolled out to customers automatically now. Please be aware that it make take a few hours to reach everyone. No actions are required to be taken for this fix to be applied, providing an effected endpoint is online and connected to the Sophos Central console it will receive the fix.

What to do

The fix for this issue will be applied automatically to any affected endpoints providing they are online and able to connect to the Sophos Central Console.

Customers who wish to speed up the application of the fix can use the following instructions to refresh their policies and disable the APC Violation exploit feature.

  1. Navigate to an Endpoint Threat Protection policy
  2. Under 'Runtime Protection' un-check the 'Protect media applications' option
  3. Save the policy
  4. Edit the policy again and enable the same 'Protect media applications' option
  5. Save the policy
  6. Repeat this process for all Endpoint Threat Protection policies

Next update

The rollout has now been completed.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics
  • Advisories

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

  • Submit
Sophos Footer
  • T&Cs
  • Help
  • Cookie Info
  • Contact Support

© 1997 - 2019 Sophos Ltd. All rights reserved.