Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 14 subscribers
  • Views 16611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suddenly flooded with "Policy non-compliance: Exploit Detection" alerts

Andy Thompson1

Hi, over the last couple of days we're getting flooded with alerts for "Policy non-compliance: Exploit Detection". There seems to be some pattern in as much as the client receives an update, reports it as compliant then some time later reports it's non-compliant, example below:

May 25, 2018 10:27 AM Policy non-compliance: Exploit Detection

May 25, 2018 9:33 AM Policy in compliance: Exploit Detection

May 25, 2018 9:32 AM Update succeeded

They are currently running version 10.8.1 VE3.72.1

Does anyone have any ideas why this has just started happening?

Many thanks.



This thread was automatically locked due to age.
Parents
  • 0
    Hi Andy,
     
    Have there been any specific changes/updates (including any exclusion changes) since the problem started? 
     
    Is it happening on multiple OSs or a particular one ? 
    How many machines are affected? 
    What are the versions of the Sophos Components and Intercept X  installed on the system?

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply
  • 0
    Hi Andy,
     
    Have there been any specific changes/updates (including any exclusion changes) since the problem started? 
     
    Is it happening on multiple OSs or a particular one ? 
    How many machines are affected? 
    What are the versions of the Sophos Components and Intercept X  installed on the system?

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Children
  • 0 in reply to Barb@Sophos

    Hi Barb,

    We added an exploit mitigation exclusion for Java a couple of weeks ago and the messages seem to have started a few days after that.

     

    We are only running Windows 7 (x86 and x64) here.

     

    Core Agent 2.0.3

    Endpoint Advanced 10.8.1.2

    Intercept X 2.0.3

     

    Best Regards,

     

    Andy.

  • 0 in reply to Andy Thompson1

    Hi Andy,

    Are these messages still appearing non-stop, or just showed up once per device after the changes were made?
    Please have a look at the What to Do Section from the article below:

    Policy non-compliance: [Component] message displayed in the Sophos Central Admin

    Have the machines been updated/restarted since the policy changes went thru? If not, could please test forcing a Sophos update on a few of them, and rebooting to see if that alleviates the issue?

    Otherwise, for testing purposes, can you confirm if removing the Java exception changes this behavior at all? (As in does the message go away after removing the exception?)

    One more question if I may, are there multiple policies including this Java exclusion (or multiple paths for the exclusion itself)?

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • 0 in reply to Barb@Sophos

    They still appear after a machine has been restarted. The common sequence is:

     

     

    May 30, 2018 1:30 PM Policy non-compliance: Exploit Detection

    May 30, 2018 1:01 PM Policy in compliance: Exploit Detection

    May 30, 2018 1:00 PM Update succeeded

     

    I really can't remove this exploit mitigation exception - something in the latest version of the Sophos client is breaking a web site that is mission critical here. There is nothing defined in a policy that excludes Java, it is set as a global exception.

  • 0 in reply to Andy Thompson1

    Just to confirm, on this particular PC I have just started it up and have the following sequence:

     

    Jun 1, 2018 9:11 AM Policy non-compliance: Exploit Detection

    Jun 1, 2018 9:01 AM Policy in compliance: Exploit Detection

    Jun 1, 2018 8:59 AM Update succeeded

Unfiltered HTML