Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 15001 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Mitigation Lockdown

Kristian Krogstrup

Hello there 

 

i'm having an issue with sophos blocking a safe website that we use internally, can i add the website to exclusion without adding Internet explorer to the Exploit Mitigation Exclusions

 

Mitigation Lockdown

Platform 10.0.15063/x64 v583 06_3a
PID 6908
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

VBScript God Mode
eboligaalborg.egdatainform.dk/tilbud.asp

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [6908]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5768 CREDAT:206089 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [5768]
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [9096]
4 C:\Windows\explorer.exe [7712]
5 C:\Windows\System32\userinit.exe [7876]
6 C:\Windows\System32\winlogon.exe [592]
winlogon.exe



This thread was automatically locked due to age.
Parents
  • 0

    Hello Kristian,

    I've just looked up God Mode in the Exploits Explained paper. As far as I understand it a modification of the safemode flag is detected. Dunno if some innocent script could inadvertently trigger this detection.
    Furthermore - again as far as I understand it - Intercept X/EXP "works up", i.e. only traces back, from a detection and doesn't care which site is visited or where from what content is loaded so excluding a site isn't possible.

    Christian   

  • 0 in reply to QC

    Ah i see, what would be a solutiuon for this, we have 25+ users using this site several times a day 

Reply Children
  • 0 in reply to Kristian Krogstrup

    Hello Kristian,

    modifying the application so that it runs under its own process (that you could then exclude) is likely not feasible and excluding IE is naturally not desirable. Support should at least be able to give you a definite answer whether some other solution is imaginable.

    Christian

Unfiltered HTML