This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mitigation Lockdown - another one

Dear all,

Sorry for this topic, but I have not yet figured out yet after reading most posts here, how to proceed.


I have several events with Mitigation Lockdown unter "Exploit Prevention" at the Sophos Enterprise Console.
Would you please advise me, how to proceed?


On some reported applications I have NO entry in the "Enterprise Console" under "Exploit Prevention" - Exclusions.
Should I enter this via GPOs to the HKLM or HKCU entries for the "Whitelist Thumprints", if required to all clients?

The Thumbprint is not limited to the each client, it refers to the blocked action, correct?

On other reported applications I do have an entry in the Enterprise Console, that I could "exclude". But that exludes the application, even when there is just
a simple reg add like listed below.

What is the best practice, which of the Types do I solve with exlude, on which would you understand a potiential "false positive" warning?
Maybe I read to many posts and lost track during that search. If that is the case, I am very sorry for the inconvience to assist me.

I highly appreciate your assistance and advise.

BR

 

-----

Date/time User Computer Type Application Version Details
7/4/2019 8:42:53 AM XXXX XXXXXXX Lockdown RealPresenceDesktop 3.8.1 C:\Program Files (x86)\Polycom\RealPresence Desktop\RealPresenceDesktop.exe


Mitigation Lockdown

Platform 10.0.16299/x64 v508 06_4e
PID 9632
Application C:\Program Files (x86)\Polycom\RealPresence Desktop\RealPresenceDesktop.exe
Description RealPresenceDesktop 3.8.1

Operation SetValueKey
Key \REGISTRY\USER\XXXXXXXXX\Software\Microsoft\Windows\CurrentVersion\Run\
Value Name RealPresenceDesktop
Value C:\Program Files (x86)\Polycom\RealPresence Desktop\RealPresenceDesktop.exe /startRPD


Process Trace
1 C:\Program Files (x86)\Polycom\RealPresence Desktop\RealPresenceDesktop.exe [9632]
2 C:\Windows\explorer.exe [10700]
3 C:\Windows\System32\userinit.exe [10904]

Thumbprint
7a3d441df947de45255c476278d73de03f7b2f67f04b6029651b7c779144601b
Data based thumbprint
2170d8e5ec4cb4c2b39c8f755ab6e3f6c7460039694add388ad0e6b092f3ee29



This thread was automatically locked due to age.