Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

System lockup from combo of SAV + SCF + AutoIt Compiled EXE

RyanG

Hi,

I've recently completed limited testing of a new login script based on AutoIt.  It's a compiled EXE file, and it runs blindingly fast on every system I tested it on.  Even those with SAV installed.

I then released it into a limited amount of computers and laptops in my surrounding area - this is where I've hit an issue.  The program performs fine with SAV, as stated, but if the computer has SAV+SCF installed, the SAVService.exe jumps up to 99% usage and stays there until the program exits, and the login script takes approx. 5mins to execute (vs. approx. 5-10secs on any other system).

To begin with, Sophos had logged the file in quarantine as "HIPS/IPConnect-001", so I added my file to the authorized list under AV/HIPS config.  I also added its checksum and application to the firewalls allowed applications list.  Doing so only prevented the errors from appearing in Sophos, the system was still slowed as soon as the application ran.

If I uninstall SCF, the issue goes away.  If I disable SCF (Allow all traffic), the issue does *NOT* go away.  And to throw another spanner in the works, if I leave SCF installed, and enabled, *BUT DISABLE* HIPS "Detect suspicious behavior", the program works fine.

Can anyone shed some light on the issue here?  Why does Sophos hate my application, but only under certain circumstances? :smileysad:

:2380


This thread was automatically locked due to age.
Parents
  • 0

    Hi RyanG,

    The reason why Sophos detects this file with the Firewall installed is that SAV can leverage the additional information that the firewall can provide to trigger additional HIPS behaviour events (the IPconnect set of rules)

    Without the firewall installed, this information is not available, so the file is not detected.

    What I would suggest is that you submit the file to us as a sample, as although it is common for script files that are packed as executables to trigger suspicious detections, they should be fine when authorised and certainly should not be causing the SAVservice to run at that level of CPU utilisation.

    Please submit the file at the location below and provide the same full description of why you are sending it as you gave here so that the labs can have a look at what is going on:

    https://secure.sophos.com/support/samples/

    Regards,

    Stephen.

    :2398
Reply
  • 0

    Hi RyanG,

    The reason why Sophos detects this file with the Firewall installed is that SAV can leverage the additional information that the firewall can provide to trigger additional HIPS behaviour events (the IPconnect set of rules)

    Without the firewall installed, this information is not available, so the file is not detected.

    What I would suggest is that you submit the file to us as a sample, as although it is common for script files that are packed as executables to trigger suspicious detections, they should be fine when authorised and certainly should not be causing the SAVservice to run at that level of CPU utilisation.

    Please submit the file at the location below and provide the same full description of why you are sending it as you gave here so that the labs can have a look at what is going on:

    https://secure.sophos.com/support/samples/

    Regards,

    Stephen.

    :2398
Children
No Data
Unfiltered HTML