Disclaimer: This information is posted as-is and the content should be referenced at your own risk
Hi Community,
This article describes the information about 'Lockdown' exploit detected on application
Sophos Intercept X and Sophos Exploit Prevention provide protection against malicious scripts and code delivered by common infection vectors including; but not limited to:
Any behaviour of this nature detected by Sophos Intercept X or Sophos Exploit Prevention is flagged as a 'Lockdown' exploit detection and the offending process will be terminated.
Some customers have encountered occasions where applications they would consider 'trusted' or legitimate have raised 'Lockdown' exploit detections. These include; but are not limited to:
Often, however, after investigating these purported 'false-positive' detections it has become visible that the offending applications is behaving in a way that is similar to valid exploits undertaken by true malware. Therefore Sophos Intercept X or Exploit Prevention deem this behaviour to be malicious and take preventative action.
This article aims to help further explain this behaviour and therefore aid understanding as to when and why these detections are seen on applications that are deemed to be 'trusted' or legitimate.
The following sections are covered:
Applies to the following Sophos products and versionsCentral Windows Endpoint Intercept X 2.0.12Central Server Intercept X 2.0.8Exploit Prevention
The 'Lockdown' exploit mitigation protects the above vulnerable software by ensuring that they are not able to execute code. As a rule these applications should not be in a position where they are either executing code directly or are triggering other applications to execute code.
Commonly this exploit technique is used in the below ways:
Of course this can also then trigger when a 'legitimate' executable file is triggered in a certain way either through a browser or as part of an Office plugin.
Whenever an exploit is detected by Sophos Intercept X or Exploit Prevention an alert is raised in the Windows Event Viewer logs as well as being reported to either Sophos Central or Sophos Enterprise Console. If we take the below event as an example we can talk through the reason for the detection:
--------------------
Description:Mitigation LockdownTimestamp 2020-01-14T16:31:22Platform 10.0.14393/x64 v13 06_55*PID 13732Application C:\Program Files (x86)\Java\jre1.8.0_191\bin\javaw.exeCreated 2018-10-18T16:26:21Modified 2018-10-18T16:26:21Description Java(TM) Platform SE binary 8Filename C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file.jar;C:\Users\User1\documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file2.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file3.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File4.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File5.jarProcess Trace:1 "C:\Program Files (x86)\Java\jre1.8.0_191\bin\javaw.exe" -classpath C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File2.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File1.jar;C:\Users\User2 C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe [888]"C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe" -secure -plugin -jre "C:\Program Files (x86)\Java\jre1.8.0_191" -vma LURfX2p2bV9sYXVuY2hlZD0yMDgwNDMxMjY3NTU2AC1EX19hcHBsZXRfbGF1bmNoZWQ9MjA4MDQzMTI1NzA1NgAtRHN1bi5hd3Qud2FybXVwPXRydWUALURqYXZh3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [9396]"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:82945 /prefetch:24 C:\Program Files\Internet Explorer\iexplore.exe [540]5 C:\Windows\explorer.exe [15452]6 C:\Windows\System32\userinit.exe [18368]7 C:\Windows\System32\winlogon.exe [12396]winlogon.exe8 C:\Windows\System32\smss.exe [3788]\SystemRoot\System32\smss.exe 00000118 0000007cThumbprint74680541524bff3bab2a24d7798cb65563d8e61c9881a01fccce55002cd4c112
In this example the user below process is occurring:
Our reasoning for blocking this behaviour is that processes spawned by Internet Explorer (in this case C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe) should not be executing executable files and in fact the above listed behaviour is the same as that used by malware authors to infect users' machines.
The same logic applies for both Office applications and Email clients; they should not be directly spawning processes that are running executable files. The 'Lockdown' exploit detection protects against this type of potentially malicious behaviour.
Customers have a number of options if they believe that they are encountering a false-positive 'Lockdown' detection.
Please Note. From a design perspective Sophos Intercept X or Exploit Prevention are working entirely as intended when it raises a 'Lockdown' exploit detection. The behaviour being undertaken by the third party application is incredibly similar or identical to true exploit techniques undertaken by malware authors to facilitate the infection of users' machines. Customers may wish to approach the vendors of the third-party applications to confirm that there is not:
If there is no option to alter the way that the application acts and the application is completely trusted by the customer then the below options are available (in order from highest to lowest security):
Please note: The above options are available to customers, however Sophos does not suggest excluding any applications from any of our protection methods unless the application is fully trusted by the customer. Customers excluding applications do so at their own risk.
If any guidance is required we would recommend that customers contact Sophos Support for further assistance.
Further information on all the Sophos exploit mitigation techniques can be found in the following whitepaper