Exploit APCViolation - Executables including "SophosClean.exe"

We too have been battling this issue all day today.  They say they have fixed the problem, but computers that use Netmotion are unable to access the Internet to get the update.  We have found that removing the current version of Mobility and installing the newest version fixes the issue.

Update - We have a resolution to our issue - just taking time to mitigate some of the severe cases.

Sophos released an update that resolved this issue.  The issue was the APCMitigation engine in Hitmanpro was "tweaked".  The "tweak" didn't play nicely with VPN applications - this is how it was described to me, and from the machines that we had affected, would make sense.  Our VPN software is Netmotion if curious.

As long as the machines were still online, they received the updated "definition" from Sophos thru the updater service.  What this actually did was remove the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert APCMitigation=on".  I am still not finished with my clean up due to machines going offline - they are remote machines after all.  We did notice quite a few machines where either the VPN software or other networking related services/executables were targeted incorrectly by Sophos, that we had to touch them manually.  If this was the case, we modified the above key to "=off" per supports instructions.  NOTE - this was given as a "critical" fix from support, should not be necessary for most.

Due to the insane amount of "malicious" files it incorrectly flagged, we continued to get the message pop ups regarding Sophos stopping attacks.  Turns out Sophos was only processing the tens of thousands of back logged .json files.  We created the below script to quickly add the registry value for disabling the APCMitigation as well as deleting the back logged notification files.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert" /t REG_SZ /v APCMitigation /d off /f
del "c:\ProgramData\Sophos\Health\Event Store\Incoming\*.*" /s /q

Please let me know if you have any questions on above.

Tony - thanks for the tip!  What version was installed, what version did you go to?  We are currently on 10.72.56065 (apologies went off memory, this is the corrected version number) - we did not try updating versions, but in our case, thankfully we did not need to.

Also - see my reply above, you may want to try pushing the key I mentioned and rebooting.  That was all we needed to get them back online.

Sorry, long day.  We were on 10.72 and we updated to 11.31.  The problem we have had and are still having is trying to get the old version uninstalled.  We have successfully run the office cleaner tool from a command line to remove the old version.  Just running the new version upgrade does not work, as Explorer keeps restarting.

Thanks for that script.  It is working for us as well from a thumb drive.  Then we can more easily deploy the new version of Mobility via SCCM.