CPU branch tracing is an Exploit Prevention feature that was previously enabled by default. Sophos has temporarily disabled this functionality in light of a recent Windows Update and unwanted detections.
The following sections:
Applies to the following Sophos products and versions Enterprise ConsoleSophos Central Admin
CPU branch tracing feature is the Branch-based (Hardware Augmented Control-Flow Integrity) mitigation for Return Oriented Programming (ROP) exploits. The processor hardware itself offers read-only data to augment the detection of exploit attacks at run-time.
Sophos disabled this feature due to an increase in detections caused by several Windows, Office, browser and graphics driver updates that have been released to mitigate against Spectre attacks. These updates have changed the way DLLs are loaded, causing an increase in unwanted detections in regards to this feature.
For Central customers, this has been disabled since Intercept X version 2.0.14.
For On-Premise customers,this has been disable since version 3.7.12 of Exploit prevention.
You are still protected against this type of attack vector as this is not our only protection against Return Oriented Programming attack. Sophos still has Stack-based ROP mitigation (Caller) feature. The stack-based mitigation is also our primary line of defense against ROP exploits.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.