'Lockdown' exploit prevented in Internet Explorer

Can you post the event log entry for the event?  App Event log - 911 - Does it have a thumbprint?  Is it the same each time?

If so under:

https://cloud.sophos.com/manage/config/settings/scanning-exclusions

(or the user policy)

You can set the Type as detected exploits and you should see the alert.

Regards,

Jak

Jak, thank you for the response.

From the Sophos event log this is all I have - 

Aug 9, 2017 8:39 AM 'Lockdown' exploit prevented in Internet Explorer
Aug 9, 2017 8:27 AM Update succeeded
Aug 9, 2017 8:26 AM 'Lockdown' exploit prevented in Internet Explorer
Aug 9, 2017 8:11 AM 'Lockdown' exploit prevented in Internet Explorer
Aug 9, 2017 8:10 AM 'Lockdown' exploit prevented in Internet Explorer
Aug 9, 2017 8:08 AM 'Lockdown' exploit prevented in Internet Explorer
Aug 9, 2017 8:04 AM 'Lockdown' exploit prevented in Internet Explorer

I have not identified a thumbprint. 

I am not able to troubleshoot this further as the Internet access at that site is down at this time.

It would need to be the Application Event log on the client that has the verbose details -  eventvwr.

That said, do you see the Lockdown alert under:
https://cloud.sophos.com/manage/config/settings/scanning-exclusions

When you click "Add Exclusion" and then "Detected Exploits (Windows)"?  

Is there is an entry in there it would have a thumbprint as that's what is sent down to the client to make the exclusion.  I'd be interested to know if the thumbprint is the same for each detection.

Jak,

Sadly, the Application Log for Sophos was not enabled, so I have nothing to report.

I was able to circumvent Sophos' interference by disabling Web Control and Exploit Mitigation at the client. Now this morning with logging enabled and re-enabling the previous mentioned controls I cannot recreate the "problem".

Thank you for your assistance in this matter.

Roger

Hi Jak,

When you click "Add Exclusion" and then "Detected Exploits (Windows)"?   I added the exclusion that it found for my user, however it continues to block me from right clicking and send to Excel.

Mitigation Lockdown

Platform 6.1.7601/x64 v593 06_3c

PID 6964

Application C:\Program Files (x86)\Internet Explorer\iexplore.exe

Description Internet Explorer 11

VBScript God Mode

res://C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE/3000

Process Trace

1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [6964]

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6240 CREDAT:603206 /prefetch:2

2 C:\Program Files\Internet Explorer\iexplore.exe [6240]

3 C:\Windows\explorer.exe [5324]

4 C:\Windows\System32\userinit.exe [5136]

5 C:\Windows\System32\winlogon.exe [680]

winlogon.exe

Thumbprint

853af4482bf803db2e85cb4f8138d2e107fdd973f7b7b1d7e1e4bb483a22c5eb

The Thumb print is the same every time for my worksation, it's affecting all of our users.

Regards

Mat

If you made the exemption, did the thumbprint, i.e. 853af4482bf803db2e85cb4f8138d2e107fdd973f7b7b1d7e1e4bb483a22c5eb make it to the clients registry and has the process been restarted?

The key in question is: "WhiteThumbprints" which is a multi-string under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\

Regards,

Jak

Hi Jak,

No it doesn't look like that thumb print has made it into the client registry.

I only have these two entries :

00a27ed0dfb133cdc19b13ecbc051e7bef44d8b8454128fe246fc1b71808e8f3
6c59de45289a66eaa0296ecf68ae56d0ccd83bd10b04d4609a35bbad5ab4961b

I have even restarted my PC but it doesn't look like it's being picked up.

Regards

Mat

Are there multiple entries for this alert in the exclusion dialog?

If you go to:

https://cloud.sophos.com/manage/config/settings/scanning-exclusions

Click "Add exclusion" then select: "Detected Exploits (Windows)", if you scroll down the list of alerts, do you maybe have multiple alerts for:

'Lockdown' exploit prevented in Internet Explorer?

Under the covers, each one of these will have a different thumbprint.

To look under the covers, when you visit this page, with the Developer Tools (F12) of the browser open, you can see the returned JSON that feeds the list:

API call is to this URL: https://dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/api/hmpa/events?limit=50&offset=0

Here you can see the thumbprint value to be sure.

Regards,

Jak

Hi Jak,

The thumb print doesn't seem to appear anyone in the Sophos Central for the issue with sending to Excel.

This is the only thing under my name:

"location":"9XBGZ72","id":"3808809b-730b-4080-9f8e-760724e3fe95","count":1,"when":"2017-07-21T13:40:45.000Z","thumbprint":"00a27ed0dfb133cdc19b13ecbc051e7bef44d8b8454128fe246fc1b71808e8f3","name":"'Lockdown' exploit prevented in Internet Explorer","source":"Matthew Feasey"}

We Also have another issue where he thumbprint constantly changes.

Mitigation Lockdown

Platform 6.1.7601/x64 v593 06_3c

PID 5316

Application C:\Windows\SysWOW64\cmd.exe

Description Windows Command Processor 6.1

Filename C:\Users\MC0255\AppData\Local\Temp\.wsmp\20170906WartaClaim Correspondence.msg

Created By C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2launcher.exe

Command line:

"C:\Users\MC0255\AppData\Local\Temp\.wsmp\20170906WartaClaim Correspondence.msg"

Process Trace

1 C:\Windows\SysWOW64\cmd.exe [5316]

"cmd" /c "start "Worksite" "C:\Users\MC0255\AppData\Local\Temp\.wsmp\20170906WartaClaim Correspondence.msg""

2 C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2launcher.exe [6948]

"C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2launcher.exe" -secure -plugin -jre "C:\Program Files (x86)\Java\jre1.8.0_144" -vma LURfX2p2bV9sYXVuY2hlZD0xMTE1OTM4MDY0ODMALURfX2FwcGxldF9sYXVuY2hlZD0xMTE1OTM4MDA2MDEALURzdW4uYXd0Lndhcm11cD10cnVlAC1EamF2YS5z

3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [1104]

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7768 CREDAT:3879947 /prefetch:2

4 C:\Program Files\Internet Explorer\iexplore.exe [7768]

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

5 C:\Windows\System32\svchost.exe [780]

C:\Windows\system32\svchost.exe -k DcomLaunch

Thumbprint

07f2562220fa2e8fb995fa2447029e169a3d4d7daf7371cc01783b5cdceddb1a

 Is there any easy way of turning this off while we fault find this at the moment as it's stopping a lot of people working ?

Regards

Mat

Well you could turn off mitigations in IE totally under:

https://cloud.sophos.com/manage/config/settings/exploit-mitigation-exclusions

At this point IE is not being protected for mitigations but I guess in the short term that is preferable.

Otherwise you may need to contact Support.

One thing, I assume when you checked in the API response, you scrolled down in the UI to "gather" up all the entries from the API as they are paged in 50 at a time?

Also, in the MCSAgent (https://community.sophos.com/kb/en-us/119626) log at the client, when a mitigation occurs, you should see the same event log info in there.  This is kind of evidence that the event information was sent up to Sophos Central or at least the messaging system has seen it.

Other than that you could try the Early Access Program (EAP) version on a client which is having the issue.  I believe HMPA got quite an update.

Regards,

Jak