'Lockdown' exploit prevented in Internet Explorer accessing Sharepoint site?

It appears that we are having the same problem.

Have had several machines reporting similar issues with a couple of website, after windows updates. Have raised a ticket with Sophos. For our affected devices, it was only occurring on specific websites, and only if they accessed those sites in Compatibility View.

I have a small org and just one user who has seen this.  I also submitted a ticket.  The user able to login to a td bank site but got the "boot" when to access parts of the site that reports info.  If I hear anything from them I'll let you know.   

We were encountering problems accessing individual areas within the Sharepoint site and there was a point at which one of the users could even login to the main project page on the Sharepoint site.

This morning, it appears to be working. I did add a couple of global exception for the Lockdown block that may have corrected the issue or perhaps a main Sophos update corrected the issue. I don't know. The user was just happy that Sharepoint is working fine this morning.

Thanks Greg, Mind pointing me in the right direction on creating that global exception?

Jake West said:

Thanks Greg, Mind pointing me in the right direction on creating that global exception?

In Sophos Central, I went to Global Settings and then Global Scanning Exclusions. I then clicked "Add Exclusion", selected the exclusion type of "Detected Exploits (Windows)" and then checked the box next to the issue that I wanted to exclude from scanning, gave it a descriptive comment, and then clicked "Add". In our case, there were several of the "Lockdown" exploits found based on different parts of the Sharepoint site so I had to add multiple. It does appear that you can select multiple items to group them into a single exclusion.

This creates it on Sophos Central. You then have to update the workstation client to actual apply the exclusion locally (it will do this automatically periodically). 

Again, I can't say this worked for the Sharepoint issue but has definitely worked for other false positives that we've encountered in the past.

Greg

From Central:

Endpoint Protection --> Policy --> Threat Protection --> Scanning Exclusion --> Exclusion Type ( Detected Exploit. )

From there, you can select the exploit you want to exclude. This was posted by Ecrook in another thread: https://community.sophos.com/products/intercept/f/information/90287/lockdown-exploit-prevented-in-java-tm-platform-se-binary

After adding the exclusion here, and updating the computer from Sophos Central it seems to have worked. This only started happening very recently (and the fact this thread is so recent) makes it seem like an update did cause this.

Thanks Dakota and Greg

I just had this issue happen to my phone system web management page as well. I do suspect it's related to a recent security fix to IE11 that appears to be related to ActiveX or perhaps ASP.

Our Sharepoint access seems to be working now that I've put some exceptions in place in Sophos. 

I've encountered this a few times on different sites within the past week or so.  I've just been adding a global exception but if it keeps reoccuring for different sites that are legitimate, it'll become a nuisance.  Has anyone that submitted a ticket heard back from support?