Interceptor X locking up machines it is installed on.

We currently use Kaspersky as our AV and have added on just the Sophos Interceptor X application. As soon as we rolled out interceptor X we notice 30 or so of the machines having nothing but issues with running application and saving to the network. Once I-X was removed the machines worked just fine.  I have noticed in the registry there are profiles ofr EXE's and applications  (HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\)  when running applications we have noticed the machine reporting IAF  exploit errors on the applications and these are known files to be ok or associated with the application they are running.

As for the option to "Exploit Mitigation Exclusions"  is there a way that we can manually create the registry keys to exclude the application from being blocked at execution ? There is a prepopulated list of apps Sophos had but there are a large amount we use that would need to be added and I dont know how long support would take to actually take action.

  • For detected exploits you want to authorize, under:

    https://cloud.sophos.com/manage/config/settings/scanning-exclusions (can also be in the individual threat policies, rather than global)

    ...you can add exclusions of type: "Detected Exploits".  When sent down to the endpoint, this essentially creates/populates the registry value WhiteThumbprints under HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\. These are the same thumbprint values as the value in the 911 Application EventID for the detection.

    You can prevent applications from being monitored for all mitigations by using the exclusions here:

    https://cloud.sophos.com/manage/config/settings/exploit-mitigation-exclusions

    This sets the profile for the application to Exclude as you can see in the registry.

    I assume that if you remove Kaspersky from the client you don't see the issue either?

    Regards,

    Jak

  • In reply to jak:

    Jak how do I add applications to the Exploit Mitigation Exclusions list ?   where do i need to m ake that request and how long is the ETA on being pushed out.

  • In reply to kris petrov:

    The links I provided should take you to the relevant sections in Sophos Central once you have logged in.

    The clients should pick up the change in under 1 minute.

    Regards,

    Jak

  • In reply to jak:

    The application list does not  have the applications I want to excluded. They are CAD applications , the default SOPHOS list  only had 30-40 applications you can choose.

  • In reply to kris petrov:

    Are you getting IAF exploit detections?  

    In the Windows Event Log (Application) on one of these clients, do you have event ID 911 for them?

    If so, do they have a thumbprint value in the event details?