Sophos Central / Intercept X and Skype for Business

Hi,

Have you narrowed it down to a specific option in the policy? 

For example, in the "Threat Protection" part of the user policy, if you disable the section "Mitigate exploits in vulnerable applications" does that help? 

More specifically to Lync/Skype, if you go to in Sophos Central: "System Settings" - "Exploit Mitigation Exclusions" and add Skype/Lync.exe does this help?

Is it a mitigation problem?  If so, which mitigations specifically?  That can be tested using the registry on the client and restarting the Hitman Pro alert service.

I assume the process crashing is Lync.exe?  If so, that is classified as "Other". Under the key hklm\software\hitmanpro.alert there is a "_Profiles_" key, under which (if "Mitigate exploits in vulnerable applications" is enabled) you should see an "Other" key, this is the mitigation config for applications of Type "Other". There is a dword entry for each of the mitigations.  I assume entry such as DEP is set to 1.  If you change this to 0 and restart the Hitman Pro alert service does that help?

Out of interest. If you run Process Monitor (https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx) when you load and then attempt to launch a video call.  You should see all the "Load Image" operations - filter as required to make them easier to find.  Do you see a Load Image for ...\Intel\Media SDK\mfx_mft_mjpgvd_32.dll.  If so do you also see a query to this key:

HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags               

and if so, what is the value?  Does it help to change it to say 3?

Regards,

Jak

Hi 

Company recently started using Skype for business and as we already use Sophos Central and Intercept X started getting this issue starting up video calls, for the most part we'd only seen this on HP laptops so links to the video driver in use seams to be relevant.

During testing we played with the admin setting and overrides, found that with Runtime Protection options off we still got the issue but with all options overridden Video calls would start and as long as Skype app wasn't restarted they would still work when everything was turned back on, which points to the files/keys mentioned being accessed then "protected" by Sophos as the root cause

As per the above advise I add Skype For Business to the Exploit Mitigation Exclusions this worked for us. 

I'd rather we didn't have such a glaring hole in the protection but as it's our standard IM client globally and this "fixed" the problem it may have to remain as such. Hopefully our other layers of protection cover us.

Hi 

Company recently started using Skype for business and as we already use Sophos Central and Intercept X started getting this issue starting up video calls, for the most part we'd only seen this on HP laptops so links to the video driver in use seams to be relevant.

During testing we played with the admin setting and overrides, found that with Runtime Protection options off we still got the issue but with all options overridden Video calls would start and as long as Skype app wasn't restarted they would still work when everything was turned back on, which points to the files/keys mentioned being accessed then "protected" by Sophos as the root cause

As per the above advise I add Skype For Business to the Exploit Mitigation Exclusions this worked for us. 

I'd rather we didn't have such a glaring hole in the protection but as it's our standard IM client globally and this "fixed" the problem it may have to remain as such. Hopefully our other layers of protection cover us.