PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
One of our customers has been running EAP1 on about 100 machines. Since the past 48 hours they are facing some strange issues on multiple machines :
1. Whenever they try to open Firefox (different versions) Intercept X stops it from opening and generates 'APCViolation exploit prevented in Firefox'
2. Receiving 'APCViolation' alerts for multiple applications :
a. Windows Logon User Interface Host
b. Microsoft .NET Framework
c. Microsoft Feeds Synchronization
3. Receiving alert in Central - 'Unknown Threat' detected at 'null'
Seems to happen only on Windows 10 machines as of now. Do let us know if we can help with anything else.
Logs at C:\ProgramData\HitmanPro.Alert\Logs\Sophos.logs
2018-01-10T13:20:15.317Z [Alert] APCViolation, familyId=00d50823-4e23-43c3-8b39-ac6bfc84e88a, PID 13116, C:\Program Files (x86)\Mozilla Firefox\firefox.exe2018-01-10T13:20:15.354Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075015317-9.xml2018-01-10T13:20:15.439Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\4fc6ba99-f244-4cd1-9af1-f21fbe1c288b.json
2018-01-10T13:20:15.770Z [Protected] PID 9152, Features 000702341FBFB106, C:\Program Files (x86)\Mozilla Firefox\firefox.exe2018-01-10T13:20:15.939Z [Protected] PID 1808, Features 000702341FBFB106, C:\Program Files (x86)\Mozilla Firefox\firefox.exe2018-01-10T13:20:16.133Z [Alert] APCViolation, familyId=490b39c9-7a99-4de9-a35e-5d231c2ceb0a, PID 1808, C:\Program Files (x86)\Mozilla Firefox\firefox.exe2018-01-10T13:20:16.155Z [Alert] APCViolation, familyId=414170d7-1a75-4fd5-97a8-d51a033e46ed, PID 9152, C:\Program Files (x86)\Mozilla Firefox\firefox.exe2018-01-10T13:20:16.155Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075016133-10.xml2018-01-10T13:20:16.155Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20180110075016155-11.xml2018-01-10T13:20:16.254Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\22a1ce31-5c2d-415d-aa55-e1c1bf97ef72.json2018-01-10T13:20:16.417Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\02019aff-8b26-45d2-92ba-9dbc308d49a7.json
Please see attached snapshots. Intercept X Version - Attached in Snapshot.
Can you download a more current build of HMPA and retest.
Place the executable in the HMPA folder. For example C:\Program Files (x86)\HitmanPro.Alert
To upgrade your EAP1 to 723, just open a command prompt as administrator and run: hmpalert3b723.exe /upgrade
Don’t forget to reboot the machine and you’re good to retest.
This build is still in validation, but as you are on the EAP, we are giving you early access to it. We believe it should address the issue. As normal, we recommend that you only deploy this build to your endpoints on the EAP.
Let us know how you get on.