Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Subscribers 19 subscribers
  • Views 128719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central / Intercept X and Skype for Business

Silvio F

Hey there,

 

We have some Major issues while using Sophos Central Endpoint / Intercept X and Skype for Business. Every time someone wants to start a videocall our SfB Client is crashing. There is no entry in the Sophos Eventlog that something blocks SfB or something issn´t permitted. SfB Calls without Video does´nt causing any Errors or Crash. If we deinstall the Sophos Agent everything is fine.

Does someone have similiar Problems and mabye a practical Solution for this Problem.

 



This thread was automatically locked due to age.
Parents
  • +2

    Hi,

    Have you narrowed it down to a specific option in the policy? 

    For example, in the "Threat Protection" part of the user policy, if you disable the section "Mitigate exploits in vulnerable applications" does that help? 

    More specifically to Lync/Skype, if you go to in Sophos Central: "System Settings" - "Exploit Mitigation Exclusions" and add Skype/Lync.exe does this help?

    Is it a mitigation problem?  If so, which mitigations specifically?  That can be tested using the registry on the client and restarting the Hitman Pro alert service.

    I assume the process crashing is Lync.exe?  If so, that is classified as "Other". Under the key hklm\software\hitmanpro.alert there is a "_Profiles_" key, under which (if "Mitigate exploits in vulnerable applications" is enabled) you should see an "Other" key, this is the mitigation config for applications of Type "Other". There is a dword entry for each of the mitigations.  I assume entry such as DEP is set to 1.  If you change this to 0 and restart the Hitman Pro alert service does that help?

    Out of interest. If you run Process Monitor (https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx) when you load and then attempt to launch a video call.  You should see all the "Load Image" operations - filter as required to make them easier to find.  Do you see a Load Image for ...\Intel\Media SDK\mfx_mft_mjpgvd_32.dll.  If so do you also see a query to this key:

    HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags               

    and if so, what is the value?  Does it help to change it to say 3?

    Regards,

    Jak

     

     

     

  • 0 in reply to jak

    Hi Jak,

     

    This worked perfectly! We have rolled this out as a registry fix. Will this be reported to the devs and updated in the next build of Sophos? 

     

    Thanks

  • 0 in reply to Root___

    I had a call with Sophos Support for this problem and they allready know about it. 

Reply Children
  • 0 in reply to Silvio F

    But are they going to add a fix? 

  • 0 in reply to Root___

    Maybe in the future but I don´t think so.
    It´s a Problem between SfB and Hitman Pro Alert and it isn´t such a trivial problem. They made the Workaround with the possibilitie of  Exploit Mitigation Exclusions and it sounds like that this their answer. I Also asked our SfB Expert and he confirmed that SfB can be a bastard for such tools in case of the complex network structure.

  • 0 in reply to Silvio F

    Hmm...While i agree with everything you say that is not really an acceptable answer. I am not making an exception for skype for business. All my software should be protected at all times. 

     

    SfB is a terrible application, but unfortunately it is something we can no longer go without. 

     

    I think the devs need to look at SfB and recode it accordingly. Yes it is a graphics card problem as the DLL that flags up in links to the intel HD graphics drivers which update all the time, but they can just need to add that to hitmanpro's database.

     

    Unless  i can add that specific DLL to Exploit Mitigation Exclusions? 

  • 0 in reply to Root___

    I agree that wasn´t the answer i want to hear. It sounds more then "It´s not our fault, its the fault from MS". 

    No you only can add preconfigured Applications in the Exclusion.

Unfiltered HTML