This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Checkbox Exploit Prevention greyed out after disableing

Hi All,

we just startet to use Exploit Prevention.

Now my collegue wanted to install a browser PlugIn and Exploit Prevention prevented this. He disabled it in the Sophos Client and was able to install the PlugIn.

The problem is that after that the Checkbox for Exploit Prevention is greyed out and you can not enable it again.

Even a Update Now on the Sohos Client doesn´t change this it is still greyed out.

Only after rebooting the PC it is possible to set it back to enabled.

But then you can not disable it anymore.

Can you reproduce this?

Is there a way to enable Exploit Prevention again without rebooting the PC?

 

Thank You,
Akira



This thread was automatically locked due to age.
  • Hello Akira,

    first of all (one of the common misconceptions): Update Now refers strictly to software/detection data updates, it has nothing to do with settings/policies.

    What you observe is the expected behaviour. When Exploit Prevention (EXP) is locally disabled the Exploit prevention status in the Console (for SEC/SESC, can't say what you'd see in Central) changes to Partially disabled (restart required) and doesn't change unless you reboot. And until then the checkbox is inactive. Why?
    The DLL required for the protection of processes is not loaded while EXP is disabled. These will remain unprotected even if you'd subsequently enable it again. This would give a false sense of security. Furthermore, although inactive the DLL remains loaded in the processes that were already running. Thus a reboot is necessary to fully disable EXP.
    [after rebooting] you can not disable it anymore for a similar reason. Many processes were already loaded before EXP was re-enabled (whether locally or by policy). Thus the computer is not fully protected. Arguably that the checkbox is subsequently again disabled is adequate indication of this fact - IMO at least the Sophos icon should show the warning overlay.

    Haven't tested whether a request for policy compliance from the console would save you the second reboot - the HMPA log suggests it wouldn't.

    Christian

  • Hello Christian,

    thank you for enlightening us. So that means the process of installing something that is prevented by EXP is like this?

    Deactivate EXP > Install > Reboot > Activate EXP > Reboot

    Then the full protection is active again.

    Did i get this right?

    Best regards,

    Akira

  • Hello Akira,

    in principle, yes. Should be necessary only on rare occasions though.
    You didn't say why EXP didn't like (i.e. what event has been triggered) the install, am I correct that it was only the install and afterwards the plugin did run?

    Christian

  • Hello Christian,

    it was a Java Plugin OpenJDK Platform binary and the event type was "Lockdown"

    And yes it was only the install it works now.

    Anke

  • Hello Anke,

    lockdown - if I'm not mistaken it's Central (not SESC) and a server.
    I'm not a Central customer but I think there's a better way to handle such cases, namely by means of the Server Lockdown Policy.

    Christian

  • We are not Central customers either we have SEC and it was on a on PC not a server.

    Anke

  • Hello Anke,

    ooh-kay ... wasn't aware that "lockdown" exists within EXP. Maybe the Event details give a hint which setting would permit the installation without going through the reboots.

    Christian

  • Hello Christian,

    I`m not really worried about that because it was a special plugin for IT admins that not everyone needs, so this will not happen often.

    Thank you for you help on this one I understand much more now.

    I do have another question though. We are at a Univerity and we want to protect all our staffs PCs and Notebooks with Intercept, Exploit Prevention and Crypto Guard. This only works with SEC as far as I know. Now if an employee or professor has Sophos installed on his Notebook and he had been connected here inside the University to our SEC this Notebook is protected. What if he takes this Notebook to somewhere where he is not connected let´s say he is offline or our SEC can not be reached for some reason. Is it then protected still if he activated an Exploit or Crypto Malware?

    Anke

  • Hi  

    Intercept X is available with Sophos Central only. Exploit prevention is available in both Sophos Central and Sophos Enterprise Console. This article will give you more idea about it.

    Regarding update issue, if you are a Sophos Enterprise console user, you can set the secondary update server and put the Sophos as an update source. So, if the client is not able to communicate with the Update manager, it will directly receive the updates from the Sophos cloud.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Anke,

    like Application Control EXP requires a management server as the settings/policy can't be modified locally (except for potentially a global disable/enable). AFAIK like all other components EXP receives its "operating instructions" via updating and I assume in case a new protection feature is added it is enabled (i.e. when EXP is enabled the endpoint doesn't need to receive an updated policy in order to enable the feature).
    In other words, protection doesn't rely on RMS communication with the management server.

    Christian