Sophos Central / Intercept X and Skype for Business

Hi,

Have you narrowed it down to a specific option in the policy? 

For example, in the "Threat Protection" part of the user policy, if you disable the section "Mitigate exploits in vulnerable applications" does that help? 

More specifically to Lync/Skype, if you go to in Sophos Central: "System Settings" - "Exploit Mitigation Exclusions" and add Skype/Lync.exe does this help?

Is it a mitigation problem?  If so, which mitigations specifically?  That can be tested using the registry on the client and restarting the Hitman Pro alert service.

I assume the process crashing is Lync.exe?  If so, that is classified as "Other". Under the key hklm\software\hitmanpro.alert there is a "_Profiles_" key, under which (if "Mitigate exploits in vulnerable applications" is enabled) you should see an "Other" key, this is the mitigation config for applications of Type "Other". There is a dword entry for each of the mitigations.  I assume entry such as DEP is set to 1.  If you change this to 0 and restart the Hitman Pro alert service does that help?

Out of interest. If you run Process Monitor (https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx) when you load and then attempt to launch a video call.  You should see all the "Load Image" operations - filter as required to make them easier to find.  Do you see a Load Image for ...\Intel\Media SDK\mfx_mft_mjpgvd_32.dll.  If so do you also see a query to this key:

HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags               

and if so, what is the value?  Does it help to change it to say 3?

Regards,

Jak

Hi Jak,

Thx for the fast Response and the second Answer was the Solution. To easy ^^

Regards,

Ecrook

Hi Jak,

Thx for the fast Response and the second Answer was the Solution. To easy ^^

Regards,

Ecrook

Glad that helped and provides a simple workaround for the short term.  I guess excluding the application is not ideal as it would be good to be protected.

Maybe if you get some time in the future to explore the specific settings or try the other things I mentioned please shout.

Regards,

Jak

Hi Ecrook,

What specifically did you do? I am having the same issue.

I assume in Sophos Central - "System Settings" - "Exploit Mitigation Exclusions" and added Skype/Lync.exe.

It would be interesting to know if media foundation transforms are related here.

If you run Process Monitor, set up a filter for Process Name is Lync.exe or Skype.exe (depending on the process crashing), and look and the "Load Image" operations, before the crash, does mfx_mft_mjpgvd_32.dll get loaded?  

If so, does changing HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags from what I assume is 6 to say 3?

Is it a certain type of computer, manufacturer, model number with the issue?  Certain graphics cards for example?

Regards,

Jak 

As Jak said. System Settings --> Exploit Mitigation Exclusion. There is a Button called Add Exclusion and then you can Select SfB from a Dropdown Field. That works for me as a Workaround.

Thx for help and Yes this can only be a Workaround. I will dig deeper when i have the time for.

Hi

We also have the same issue but it seems to be only affecting pcs that have windows 10 installed . I did originally put SFB in the exclude list ,  found that it worked . I have now removed the exclude and changed the entry into the registry hkey_classes_rootWOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags  mine was set to 6 changed to 3 all working . 

I am going to have a look at the other affected hardware that have the issue . Hp, Lenovo & several surface pros see if they where set to 6

Tim

I can only assume that those flag relate to this:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd389302(v=vs.85).aspx

Do you see the same DLL being loaded: \Intel\Media SDK\mfx_mft_mjpgvd_32.dl?  

Regards,
Jak

Thank you!

I added it to the exception and it didn't work.

I used procmon and the dll is loaded.

Changing the MFT from 6 to 3 fixed the issue.