Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Subscribers 19 subscribers
  • Views 128724 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central / Intercept X and Skype for Business

Silvio F

Hey there,

 

We have some Major issues while using Sophos Central Endpoint / Intercept X and Skype for Business. Every time someone wants to start a videocall our SfB Client is crashing. There is no entry in the Sophos Eventlog that something blocks SfB or something issn´t permitted. SfB Calls without Video does´nt causing any Errors or Crash. If we deinstall the Sophos Agent everything is fine.

Does someone have similiar Problems and mabye a practical Solution for this Problem.

 



This thread was automatically locked due to age.
Parents
  • +2

    Hi,

    Have you narrowed it down to a specific option in the policy? 

    For example, in the "Threat Protection" part of the user policy, if you disable the section "Mitigate exploits in vulnerable applications" does that help? 

    More specifically to Lync/Skype, if you go to in Sophos Central: "System Settings" - "Exploit Mitigation Exclusions" and add Skype/Lync.exe does this help?

    Is it a mitigation problem?  If so, which mitigations specifically?  That can be tested using the registry on the client and restarting the Hitman Pro alert service.

    I assume the process crashing is Lync.exe?  If so, that is classified as "Other". Under the key hklm\software\hitmanpro.alert there is a "_Profiles_" key, under which (if "Mitigate exploits in vulnerable applications" is enabled) you should see an "Other" key, this is the mitigation config for applications of Type "Other". There is a dword entry for each of the mitigations.  I assume entry such as DEP is set to 1.  If you change this to 0 and restart the Hitman Pro alert service does that help?

    Out of interest. If you run Process Monitor (https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx) when you load and then attempt to launch a video call.  You should see all the "Load Image" operations - filter as required to make them easier to find.  Do you see a Load Image for ...\Intel\Media SDK\mfx_mft_mjpgvd_32.dll.  If so do you also see a query to this key:

    HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags               

    and if so, what is the value?  Does it help to change it to say 3?

    Regards,

    Jak

     

     

     

  • 0 in reply to jak

    Hi Jak,

     

    Thx for the fast Response and the second Answer was the Solution. To easy ^^

     

    Regards,

     

    Ecrook

  • 0 in reply to Silvio F

    Glad that helped and provides a simple workaround for the short term.  I guess excluding the application is not ideal as it would be good to be protected.

    Maybe if you get some time in the future to explore the specific settings or try the other things I mentioned please shout.

    Regards,

    Jak

  • 0 in reply to Silvio F

    Hi Ecrook,

     

    What specifically did you do? I am having the same issue.

  • 0 in reply to Renzo Patricio

    I assume in Sophos Central - "System Settings" - "Exploit Mitigation Exclusions" and added Skype/Lync.exe.

    It would be interesting to know if media foundation transforms are related here.

    If you run Process Monitor, set up a filter for Process Name is Lync.exe or Skype.exe (depending on the process crashing), and look and the "Load Image" operations, before the crash, does mfx_mft_mjpgvd_32.dll get loaded?  

    If so, does changing HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags from what I assume is 6 to say 3?

    Is it a certain type of computer, manufacturer, model number with the issue?  Certain graphics cards for example?

    Regards,

    Jak 


Reply
  • 0 in reply to Renzo Patricio

    I assume in Sophos Central - "System Settings" - "Exploit Mitigation Exclusions" and added Skype/Lync.exe.

    It would be interesting to know if media foundation transforms are related here.

    If you run Process Monitor, set up a filter for Process Name is Lync.exe or Skype.exe (depending on the process crashing), and look and the "Load Image" operations, before the crash, does mfx_mft_mjpgvd_32.dll get loaded?  

    If so, does changing HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags from what I assume is 6 to say 3?

    Is it a certain type of computer, manufacturer, model number with the issue?  Certain graphics cards for example?

    Regards,

    Jak 


Children
No Data
Unfiltered HTML