HIPS killing process of executable

Question

Hello,

Please forgive my ignorance in advance. I'm the backup to the backup to the backup of our orgs Sophos Admin. We are using ECM 4.0 and Endpoint Security and Control v9.0. Sophos isn't allowing our clients to install a database program. Below is the error -

20100802 180438 Process "c:\Users\Scott.Bentley\AppData\Local\Temp\mia9774.tmp\setuptntmpd.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-001'.
Process killed.

On my client, I changed my HIPS runtime behaviour analysis to "alert only". I didn't get an alert, but it did end up installing the software this time. We've added this .exe to the ECM's multiple exclusion lists. It continues to kill the installation each time it's a fresh install or the program attempts to update to a new version. The updates aren't mandatory, scheduled or pushed, or else we would disable HIPS temporarily from the server, then enable it after it's done. Suggestions or what further info is needed? Thanks.

This thread was automatically locked due to age.

QC · Accepted Answer

Hello backup squared :smileywink:,

of course an authorized program (as opposed to a scanning exclusion) is not only identified by name. Both the alert in SEC and the executable's tooltip in the Authorization ... window contain version and checksum information. Guess you see more than one instance of setuptntmpd.exe. Let's say that it's sub-optimal installation technique. 
 I hope you do know when the installer changes (although I'm aware there are still products which do it "their smart way" and expect that everything else submits to their behaviour). If so then just run the installer on a test computer and authorize the current version using SEC. And - AFAIK it makes a difference whether an executable is signed or not.

HTH 
 Christian 
 :4352