Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Possible to allow specific exe's access to ShellExecuteW API?

PC: Windows 10 Enterprise (In Sophos > Help : Endpoint security and control 10.8)

For a week now I've been struggling with an issue on my work network where UE4Editor.exe and SkookumIDE.exe can't communicate with each other.

The network guy in charge of Sophos management is out of town for a while.

I have contacted the creators of SkookumIDE to try to trouble-shoot the problem, and Sophos is the likely culprit - case in point, disabling firewall (allowing all through traffic on Primary/Secondary in Sophos) completely allows SkookumIDE.exe and UE4Editor to communicate with each other. There is no remote communication going on, both exes exist on the same PC.  In addition, I've verified that the same exact UE4 source code and SkookumIDE source code work on my Home PC network, which does not use Sophos, w/o issue.

By default SkookumIDE and UE4Editor use a localhost loopback IP by default 127.0.0.1:12357.

According to the author of SkookumIDE, "UE4Editor.exe calls a windows api called ShellExecuteW to launch SkookumIDE.exe.  These should be the only executables invloved. I wouldnt be surprised if Sophos is intercepting calls to SHellExecuteW and dropping them, lots of malicious software tries to use ShellExecuteW."

 

If I ping (ping -t 10.0.1.225) my local address with Sophos's firewall enabled, I get incessant "Generic Error"'s.

 

This happens even though I've added UE4Editor.exe and SkookumIDE.exe both to the firewall exceptions list in Sophos and in Windows Defender Firewall.

Only Web traffic is directed through a proxy at work.  Loopback is enabled for TCP UDP in Sophos.

Edit: Just for good measure,  localhost, my local ip, and the loopback ip are added to the proxy server exceptions list

 

I dont know much of anything about network-related stuff.

By the way, I'm in Japan.  Any suggestions for things I could try so that UE4Editor.exe and SkookumIDE.exe can communicate with each other w/o any intervention from Sophos?

  • The network guy had a look a look at it and doesn't know what else to try.

    Sophos is definitely doing something which disables UE4 and Skookum IDE from communicating.

     Solution for now is to just completely disable Sophos when wanting to use SkookumIDE.

     Any suggestions for things to try would be greatly appreciated.

  • In reply to Hans Wakelin:

    Hmmm....

    You say the two applications are on the same computer and something sophos is doing is blocking them correct?

     

    Basically it sounds like they are using the loopback IP to communicate, but we would need to know more in regards to what you mean by Sophos?

     

    I think we could figure this out with the details, you should be able to white list the applications or make adjustments somewhere, many companies have in house apps that admins have to make exceptions for with their security products.

  • In reply to badrobot:

    Thank you very much for the reply, badrobot!  Apologies for my late reply.

    "You say the two applications are on the same computer and something sophos is doing is blocking them correct?"

    That is correct.  SkookumScript uses the loopback IP to communicate with the UnrealEngine.exe. 

     

    In Sophos, under Firewall Environment Settings > General tab, ticking the "Authorize all traffic" box for "Primary Location" allows them to communicate. 



    I'm not exactly sure where I would need to add them as exceptions.  If I have the 2 exes, UE4Editor.exe and SkookumIDE.exe (according to the developers of Skookum Script, these are the only 2 exes involved), added to the  Firewall Environment Settings > General tab > Primary Location Environement Settings Window > Application tab it doesn't work.

    Edit:  I think I found out what fixes it.

    If I add two new rules (one TCP and one UDP), for Direction and Local Address to Allow, specifying the loopback address and local address, in the Firewall Environment Settings > General tab > Primary Location Environment Settings > Global Rules tab, it seems to connect!

    I'll mark this as solved once I've completely verified.  If it doesn't work, I'll double-check w/ IT and make sure there's no whitelist they manage that the exes may need to be added to before updating the thread.

     

    Really appreciate the help!