I've started using Sophos Exploit Prevention with Sophos Enterprise Console and had a problem where our Web/Java based ERP system was "false flagged" as an exploit. The workaround was to put an exclusion in the policy for jp2launcher.exe. I'm assuming that this will exclude all java plugins from exploit prevention. Is there a way of targetting only the plugins of the ERP system for exclusion? I've seen other posts which suggest putting the thumbprint into the client PC registry WhiteThumbprints key. I tried to do this but it looks like there is a thumbprint for each user. What are the implications of excluding jp2launcher.exe as it does not seem practical to gather the thumbprints of each user of the system to create the whitelist?
KEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\
The key is of type:
REG_MULTI_SZ
With the name of:
WhiteThumbprints
Mitigation Lockdown
Platform 6.1.7601/x86 v604 06_2a
PID 4144
Application C:\Program Files\Java\jre1.8.0_111\bin\java.exe
Description Java(TM) Platform SE binary 8
Filename C:\Users\xxxxx\AppData\Local\Temp\.djnativeswing\classpath
Process Trace
1 C:\Program Files\Java\jre1.8.0_111\bin\java.exe [4144]
"C:\Program Files\Java\jre1.8.0_111\bin\java" "-Djava.library.path=C:\Program Files\Java\jre1.8.0_111\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files\Internet Explorer;;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\
2 C:\Program Files\Java\jre1.8.0_111\bin\jp2launcher.exe [2072]
"C:\Program Files\Java\jre1.8.0_111\bin\jp2launcher.exe" -secure -plugin -jre "C:\Program Files\Java\jre1.8.0_111" -vma LURfX2p2bV9sYXVuY2hlZD0zMjY3NTk3MjgALURfX2FwcGxldF9sYXVuY2hlZD0zMjY3NTc5NDIALURzdW4uYXd0Lndhcm11cD10cnVlAC1EamF2YS5zZWN1cml0eS5tYW5hZ2Vy
3 C:\Program Files\Internet Explorer\iexplore.exe [5712]
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4748 CREDAT:78849 /prefetch:2
4 C:\Program Files\Internet Explorer\iexplore.exe [4748]
5 C:\Windows\explorer.exe [3056]
6 C:\Windows\System32\userinit.exe [2620]
7 C:\Windows\System32\winlogon.exe [560]
winlogon.exe
Thumbprint
4027efd55347a6d47606ae92dc22d360cdce83c500e5c779888558044f3c6803
This thread was automatically locked due to age.