Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3210 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Chrome and Firefox being detected s HIPS/ProcInj-001??

hex

Hello, we are currently evaluating Sophos control center (Version 9.5).  I have noticed that on my PC (Windows 7 32bit) everytime i launch Google Chrome, and about half the times i launch firefox, i keep getting the following notification: 

HIPS/ProcInj-001  and it points to the chrome or firefox.exe file.  This does not happen with IE8 Safari, or Opera.  The PC is in a group with all the default settings.  no NAC, data security or anything has been configured.  I have tried authorizing it but it still pops up.   Any ideas?

:5168


This thread was automatically locked due to age.
  • 0

    Hello hex,

    I'd "expect" HIPS alerts (although not ProcInj) during install but not on a normal run. Dunno about Chrome but definitely haven't seen it with Firefox. Did you install both before installing Sophos? Do you have any add-ons? I'm asking because before authorizing an application I'd try to find out what it's attempting.

    Anyway authorizing it should succeed - did you do it from SEC or locally? Do you have only one instance in the authorized programs list or several?

    Christian

    :5187
  • 0

    Thanks foir getting back to me Christian, To answer your questions...

    Both were installed before putting Sophos on the computer.

    I have a million add on's for FF, none for Chrome (I only use it to access one website).

    How would i find out what it's attempting?  There doesn't seem to be anwhere else to "dig."

    I have tried authorizing them both locally and from SEC.

    If i let it go i can have more than one instance waiting to be authorized.

    I have attached a screenshot just in case it helps.  I only have one instance of each in quarrantine right now.

    Also, i have another question, i am trying to install the agent on some IBM/Lenovo Thinkpad's.  Our current AV solution (Trend Micro WFBS) always had issues with the thinkpad's connection manager (access connections) and wouldn't let us deploy remotely.  Is there a known issue with Sophos client on thinkpad's?  I cant get the client to install on any of them.  It keeps telling me there is 3rd party security software and it can't install.  There is no AV on the machines, and i did check off the "3rd party detection" option.

    screenshot

    :5190
  • 0

    [Remark: any ideas why firefox.exe is under ProgramData? I've found a few references but no explanation.]

    About authorization:

    If you authorize using SEC you change the policy and subsequently local authorizations will be overwritten. Anyway if you hover the mouse over an entry in the Authorization Manager you'll see additional information about the file:

    If the executables do not change (and I think they should not) you will see only one checksum for each. Authorizing (do it locally) moves them to the right column (as in the image). If when starting e.g. Firefox you receive another alert you should see a new entry in the left column - of course with a different checksum.

    Could you try it once more and describe what you see?

    Christian

    :5201
  • 0

    I had been authorizint them by clicking "Qaurantine" then checking the box.  Doing it the way you have it pictured seems to work.  It hasn't popped up the last two times i opened chrome.  I will Update the post when i get more info.  Thank you for your help.

    :5215
  • 0

    Update:  Hi Christian, It hasn't popped up again since authorizing it the way you showed me.  I sent some samples to support for analysis.  I will Update again when i find results.

    :5248
Unfiltered HTML