APCViolation in Firefox and 'Unknown Threat' at 'null'

One of our customers has been running EAP1 on about 100 machines. Since the past 48 hours they are facing some strange issues on multiple machines :


1. Whenever they try to open Firefox (different versions) Intercept X stops it from opening and generates 'APCViolation exploit prevented in Firefox'


2. Receiving 'APCViolation' alerts for multiple applications :

 a. Windows Logon User Interface Host

 b. Microsoft .NET Framework

c. Microsoft Feeds Synchronization


3. Receiving alert in Central - 'Unknown Threat' detected at 'null'


Seems to happen only on Windows 10 machines as of now. Do let us know if we can help with anything else.


Logs at C:\ProgramData\HitmanPro.Alert\Logs\Sophos.logs


2018-01-10T13:20:15.317Z [Alert] APCViolation, familyId=00d50823-4e23-43c3-8b39-ac6bfc84e88a, PID 13116, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2018-01-10T13:20:15.354Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075015317-9.xml
2018-01-10T13:20:15.439Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\4fc6ba99-f244-4cd1-9af1-f21fbe1c288b.json


2018-01-10T13:20:15.770Z [Protected] PID 9152, Features 000702341FBFB106, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2018-01-10T13:20:15.939Z [Protected] PID 1808, Features 000702341FBFB106, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2018-01-10T13:20:16.133Z [Alert] APCViolation, familyId=490b39c9-7a99-4de9-a35e-5d231c2ceb0a, PID 1808, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2018-01-10T13:20:16.155Z [Alert] APCViolation, familyId=414170d7-1a75-4fd5-97a8-d51a033e46ed, PID 9152, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2018-01-10T13:20:16.155Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075016133-10.xml
2018-01-10T13:20:16.155Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075016155-11.xml
2018-01-10T13:20:16.254Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\22a1ce31-5c2d-415d-aa55-e1c1bf97ef72.json
2018-01-10T13:20:16.417Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\02019aff-8b26-45d2-92ba-9dbc308d49a7.json

Please see attached snapshots. Intercept X Version - Attached in Snapshot.

  • Hi Anish

    Can you download a more current build of HMPA and retest.


    Place the executable in the HMPA folder.  For example C:\Program Files (x86)\HitmanPro.Alert

    To upgrade your EAP1 to 723, just open a command prompt as administrator and run: hmpalert3b723.exe /upgrade

    Don’t forget to reboot the machine and you’re good to retest.

    This build is still in validation, but as you are on the EAP, we are giving you early access to it. We believe it should address the issue. As normal, we recommend that you only deploy this build to your endpoints on the EAP. 

    Let us know how you get on.