Sophos Intercept X: Information about 'Lockdown' exploit detected on application

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Hi Community, 

This article describes information about 'Lockdown' exploit detected on application

Overview

Sophos Intercept X and Sophos Exploit Prevention provide protection against malicious scripts and code delivered by common infection vectors including; but not limited to:

  • Web Browsers
  • Office Applications
  • Email Clients

Any behaviour of this nature detected by Sophos Intercept X or Sophos Exploit Prevention is flagged as a 'Lockdown' exploit detection and the offending process will be terminated.

Some customers have encountered occasions where applications they would consider 'trusted' or legitimate have raised 'Lockdown' exploit detections.  These include; but are not limited to:

  • Web applications
  • Browser plugins
  • Office plugins
  • Email client plugins
  • Java based applications

Often, however, after investigating these purported 'false-positive' detections it has become visible that the offending applications is behaving in a way that is similar to valid exploits undertaken by true malware.  Therefore Sophos Intercept X or Exploit Prevention deem this behaviour to be malicious and take preventative action.

This article aims to help further explain this behaviour and therefore aid understanding as to when and why these detections are seen on applications that are deemed to be 'trusted' or legitimate.

The following sections are covered:

Applies to the following Sophos products and versions
Central Windows Endpoint Intercept X 2.0.12
Central Server Intercept X 2.0.8
Exploit Prevention

Further Information

The 'Lockdown' exploit mitigation protects the above vulnerable software by ensuring that they are not able to execute code.  As a rule these applications should not be in a position where they are either executing code directly or are triggering other applications to execute code.

Commonly this exploit technique is used in the below ways:

  • 'Drive-by' infection techniques from compromised websites via a web browser
  • Macro infection techniques via malicious macro-enabled Office documents (.xlsm, .docm, etc)
  • Malicious executables in email attachments

Of course this can also then trigger when a 'legitimate' executable file is triggered in a certain way either through a browser or as part of an Office plugin.

Whenever an exploit is detected by Sophos Intercept X or Exploit Prevention an alert is raised in the Windows Event Viewer logs as well as being reported to either Sophos Central or Sophos Enterprise Console.  If we take the below event as an example we can talk through the reason for the detection:

--------------------

Description:
Mitigation Lockdown
Timestamp 2020-01-14T16:31:22
Platform 10.0.14393/x64 v13 06_55*
PID 13732

Application C:\Program Files (x86)\Java\jre1.8.0_191\bin\javaw.exe

Created 2018-10-18T16:26:21
Modified 2018-10-18T16:26:21

Description Java(TM) Platform SE binary 8

Filename C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file.jar;C:\Users\User1\documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file2.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\file3.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File4.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File5.jar

Process Trace:
1 "C:\Program Files (x86)\Java\jre1.8.0_191\bin\javaw.exe" -classpath C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File2.jar;C:\Users\User1\Documents\xxx\abcd-ab1-imgr\shared\bin\6.7.2000.0038\File1.jar;C:\Users\User
2 C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe [888]
"C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe" -secure -plugin -jre "C:\Program Files (x86)\Java\jre1.8.0_191" -vma LURfX2p2bV9sYXVuY2hlZD0yMDgwNDMxMjY3NTU2AC1EX19hcHBsZXRfbGF1bmNoZWQ9MjA4MDQzMTI1NzA1NgAtRHN1bi5hd3Qud2FybXVwPXRydWUALURqYXZh
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [9396]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:82945 /prefetch:2
4 C:\Program Files\Internet Explorer\iexplore.exe [540]
5 C:\Windows\explorer.exe [15452]
6 C:\Windows\System32\userinit.exe [18368]
7 C:\Windows\System32\winlogon.exe [12396]
winlogon.exe
8 C:\Windows\System32\smss.exe [3788]
\SystemRoot\System32\smss.exe 00000118 0000007c

Thumbprint
74680541524bff3bab2a24d7798cb65563d8e61c9881a01fccce55002cd4c112
 

--------------------

In this example the user below process is occurring:

  1. The user 'User1' opens a web browser and navigates to a website hosting a Java web application
  2. The user interacts with the web application
  3. As part of the application a number of randomly named Java executables are downloaded to 'temporary' document locations on the local machine
  4. The Java web application tries to call these Java executables locally on the machine - which in turn triggers additional Java executables
  5. Sophos Intercept X / Exploit Prevention steps in to block this behaviour

Our reasoning for blocking this behaviour is that processes spawned by Internet Explorer (in this case C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2launcher.exe) should not be executing executable files and in fact the above listed behaviour is the same as that used by malware authors to infect users' machines.

The same logic applies for both Office applications and Email clients; they should not be directly spawning processes that are running executable files.  The 'Lockdown' exploit detection protects against this type of potentially malicious behaviour.

What can I do?

Customers have a number of options if they believe that they are encountering a false-positive 'Lockdown' detection.

Please Note. From a design perspective Sophos Intercept X or Exploit Prevention are working entirely as intended when it raises a 'Lockdown' exploit detection.  The behaviour being undertaken by the third party application is incredibly similar or identical to true exploit techniques undertaken by malware authors to facilitate the infection of users' machines.  Customers may wish to approach the vendors of the third-party applications to confirm that there is not:

  1. A newer version of the application that does not contain this behaviour and therefore will not trigger the detection
  2. A better or different way of configuring the application so that it does not exhibit this behaviour

If there is no option to alter the way that the application acts and the application is completely trusted by the customer then the below options are available (in order from highest to lowest security):

  1.  Exclude the detection by DetectionID or Thumbprint in Sophos Central or Sophos Enterprise Console (more information on how to do this can be found in this article)
    • This method will only work if the DetectionID or Thumbprint never changes.  This requires the behaviour to be identical every time with all file names and file paths being the same.  Any variety in file name, file path, application name or executable name will cause a new DetectionID or Thumbprint to be created
  2. Disable 'Lockdown' protection on the affected application (more information on how to do this can be found in this article)
    • This method will stop the application from being monitored for 'Lockdown' behaviour but will still maintain protection from other exploit techniques.
  3. Exclude the affected application from monitoring by Sophos Intercept X or Exploit Prevention (more information on how to do this can be found in this article)
    • This method will completely remove all exploit protection from the affected application and therefore should only be used as a last resort

Please note: The above options are available to customers, however Sophos does not suggest excluding any applications from any of our protection methods unless the application is fully trusted by the customer.  Customers excluding applications do so at their own risk.

If any guidance is required we would recommend that customers contact Sophos Support for further assistance.

Further information on all the Sophos exploit mitigation techniques can be found in the following whitepaper

Related information

 

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback!