Hi, we have just got exploit prevention installed on-premise, but certain users are having issues opening office docs and PDFs. When they try to do so, the file closes immediately with a message about exploit prevention. Looking in the computer details tab in SEC, it shows the event as LoadLib.
I have had to disable protection for these programs as it's preventing genuine files from being opened. Why is this happening??
Hi Jak
The DLL belongs to a Langenscheidt dictionary for translation german-french, german-italian. We use this application since 2002 and some of our users like it a lot.
The results on virustotal.com are OK.
Since today we know much more, when it happens. If this Langenscheidt dictionary application is started on client, everytime if the user makes an Keyboard entry on word or IE, the Sophos Exploit Alert will close word oder IE. Because just a small number of users are using this Langenscheidt dictionary, all other client computers do not have any exploit alerts.
The alert Pop up from sophos is so small and at lower right corner of the screen and only for about 3 seconds visible. So the users didn't notice, why word was closed.
This happens on Windows 7 Computers and is no problem on Windows 10 Computers. It looks like, not Sophos is working "strange", the word or IE is loading this DLL. We don't know why, because there is no link from this Langenscheidt application to word or IE. Windows 10 works different and doesn't load this DLL.
The thumbprints are the same from the different clients. One for the word and an other one for the IE.
The WhiteThumbprints REG_MULTI_SZ works fine. We just did some succesfull testing and tomorrow the registry with this two thumprints will be loaded on all clients.
I look forward, that Sophos will implement this in the Sophos Management Console and we do not have to take care about registry files. This would be nicer.
Actually it works and we will leave it this way.
Thanks a lot and best Regards,
André
We are seeing similar issues, linked to Adobe DC, and Outlook.exe, when opening specific pdf attachments. Whilst we could use exclusions, what if the actual attachment did contain malicious code, would we get the same exploit warning? If we exclude both Adobe and Outlook, we would not get any indication of problems
Hi Gary
Do all clients have the same thumbprint in the HitmanPro.Alert Events?
After winlogon.exe is a thumprint like this:
4 C:\Windows\System32\userinit.exe [5296]
5 C:\Windows\System32\winlogon.exe [676]
winlogon.exe
Thumbprint
124afc63523f51c4844e3e7fad64003a03341eb59d021aab845a1925a80365de
Regards,
André
I think the reason you're not seeing a path here is the way the library hpvpldrv09.dll is being loaded by AcroRd32.exe. The most common call to load a library into a process is to call LoadLibrary - https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx. i.e. you just supply a path and the module is loaded. I assume this is what's happening for the other examples on this page where the path is given and you don't see the first bytes of the module as you do here. Importantly you also get a thumbprint generated for exclusions.
However, The LoadLibrary mitigation must also consider, under the same umbrella, the loading of modules using what's known as reflective DLL injection. Here is a simple test app, that when compiled the exe and dll it would trigger the LoadLibrary mitigation, if it was a "protected" application.
https://github.com/stephenfewer/ReflectiveDLLInjection
In this cases you don't appear to get a thumbprint which I assume would mean, the only thing to exclude/auth this would be to add the exclusion under:
https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions
...which would exclude the entire process from mitigation.
I think you would need to email support and ask if the thumbprint generation will be included in the future for all scenarios that trigger a LoadLib mitigation. Then you would be able to exclude just this DLL being injected into the process (for LoadLib) rather than the process performing the loading.
It is a little odd to use that technique, so it would be worth thoroughly investigating that the module loaded and the software it belongs to is legit. If you search for "reflective dll injection" on Google you'll get an idea of why I would be a little cautious.
Jak
Hi Jak
Do you know, if there is a new solution for configuration exclusions in sophos exploit prevention?
This regkey is not working stable:
HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\
If sophos exploit is updating during the day, the Hitmanpro.Alert WhiteThumbprints key will be deleted and restarts the HitmanPro.Alert Service.
We do have trouble again and again.
Best regards,
André
In Firefox ESR 52.6 x32, we do not get the loadlib error and subsequent Firefox crash.
In Firefox ESR 52.7 x32, we DO get the loadlib error and crash when accessing Flash content.
In Firefox ESR 52.7 x64, we do not get the loadlib error.
Our solution was to upgrade our machines to ESR 52.7 x64.
Hi everyone,
When it comes to Exploit Mitigation and if you suspect it could be a false positive the best way to deal it would be to collect the below details and contact support so that they can take it forward.
* Information on the application triggering the detection.
* A copy of the following folder or gather all folders if multiple folders exist: C:\Windows\CryptoGuard\reverted_xxx
* The output of the Sophos Diagnostic Utility (SDU).
Regards,
Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Hi everyone,
When it comes to Exploit Mitigation and if you suspect it could be a false positive the best way to deal it would be to collect the below details and contact support so that they can take it forward.
* Information on the application triggering the detection.
* A copy of the following folder or gather all folders if multiple folders exist: C:\Windows\CryptoGuard\reverted_xxx
* The output of the Sophos Diagnostic Utility (SDU).
Regards,
Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
