Sophos Central / Intercept X and Skype for Business

Hey there,

 

We have some Major issues while using Sophos Central Endpoint / Intercept X and Skype for Business. Every time someone wants to start a videocall our SfB Client is crashing. There is no entry in the Sophos Eventlog that something blocks SfB or something issn´t permitted. SfB Calls without Video does´nt causing any Errors or Crash. If we deinstall the Sophos Agent everything is fine.

Does someone have similiar Problems and mabye a practical Solution for this Problem.

 

  • Hi,

    Have you narrowed it down to a specific option in the policy? 

    For example, in the "Threat Protection" part of the user policy, if you disable the section "Mitigate exploits in vulnerable applications" does that help? 

    More specifically to Lync/Skype, if you go to in Sophos Central: "System Settings" - "Exploit Mitigation Exclusions" and add Skype/Lync.exe does this help?

    Is it a mitigation problem?  If so, which mitigations specifically?  That can be tested using the registry on the client and restarting the Hitman Pro alert service.

    I assume the process crashing is Lync.exe?  If so, that is classified as "Other". Under the key hklm\software\hitmanpro.alert there is a "_Profiles_" key, under which (if "Mitigate exploits in vulnerable applications" is enabled) you should see an "Other" key, this is the mitigation config for applications of Type "Other". There is a dword entry for each of the mitigations.  I assume entry such as DEP is set to 1.  If you change this to 0 and restart the Hitman Pro alert service does that help?

    Out of interest. If you run Process Monitor (https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx) when you load and then attempt to launch a video call.  You should see all the "Load Image" operations - filter as required to make them easier to find.  Do you see a Load Image for ...\Intel\Media SDK\mfx_mft_mjpgvd_32.dll.  If so do you also see a query to this key:

    HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags               

    and if so, what is the value?  Does it help to change it to say 3?

    Regards,

    Jak

     

     

     

  • In reply to jak:

    Hi Jak,

     

    Thx for the fast Response and the second Answer was the Solution. To easy ^^

     

    Regards,

     

    Ecrook

  • In reply to Ecrook:

    Glad that helped and provides a simple workaround for the short term.  I guess excluding the application is not ideal as it would be good to be protected.

    Maybe if you get some time in the future to explore the specific settings or try the other things I mentioned please shout.

    Regards,

    Jak

  • In reply to Ecrook:

    Hi Ecrook,

     

    What specifically did you do? I am having the same issue.

  • In reply to Renzo Patricio:

    I assume in Sophos Central - "System Settings" - "Exploit Mitigation Exclusions" and added Skype/Lync.exe.

    It would be interesting to know if media foundation transforms are related here.

    If you run Process Monitor, set up a filter for Process Name is Lync.exe or Skype.exe (depending on the process crashing), and look and the "Load Image" operations, before the crash, does mfx_mft_mjpgvd_32.dll get loaded?  

    If so, does changing HKCR\WOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags from what I assume is 6 to say 3?

    Is it a certain type of computer, manufacturer, model number with the issue?  Certain graphics cards for example?

    Regards,

    Jak 


  • In reply to Renzo Patricio:

    As Jak said. System Settings --> Exploit Mitigation Exclusion. There is a Button called Add Exclusion and then you can Select SfB from a Dropdown Field. That works for me as a Workaround.

  • In reply to jak:

    Thx for help and Yes this can only be a Workaround. I will dig deeper when i have the time for.

  • In reply to Ecrook:

    Hi

     

    We also have the same issue but it seems to be only affecting pcs that have windows 10 installed . I did originally put SFB in the exclude list ,  found that it worked . I have now removed the exclude and changed the entry into the registry hkey_classes_rootWOW6432Node\MediaFoundation\Transforms\00c69f81-0524-48c0-a353-4dd9d54f9a6e\MFTFlags  mine was set to 6 changed to 3 all working . 

    I am going to have a look at the other affected hardware that have the issue . Hp, Lenovo & several surface pros see if they where set to 6

     

    Tim

     

     

     

     

  • In reply to tim Shaw:

    I can only assume that those flag relate to this:
    https://msdn.microsoft.com/en-us/library/windows/desktop/dd389302(v=vs.85).aspx

    Do you see the same DLL being loaded: \Intel\Media SDK\mfx_mft_mjpgvd_32.dl?  

    Regards,
    Jak

  • In reply to Ecrook:

    Thank you!

    I added it to the exception and it didn't work.

    I used procmon and the dll is loaded.

    Changing the MFT from 6 to 3 fixed the issue.

  • In reply to jak:

    Hi Jak,

     

    This worked perfectly! We have rolled this out as a registry fix. Will this be reported to the devs and updated in the next build of Sophos? 

     

    Thanks

  • In reply to Root___:

    I had a call with Sophos Support for this problem and they allready know about it. 

  • In reply to Ecrook:

    But are they going to add a fix? 

  • In reply to Root___:

    Maybe in the future but I don´t think so.
    It´s a Problem between SfB and Hitman Pro Alert and it isn´t such a trivial problem. They made the Workaround with the possibilitie of  Exploit Mitigation Exclusions and it sounds like that this their answer. I Also asked our SfB Expert and he confirmed that SfB can be a bastard for such tools in case of the complex network structure.

  • In reply to Ecrook:

    Hmm...While i agree with everything you say that is not really an acceptable answer. I am not making an exception for skype for business. All my software should be protected at all times. 

     

    SfB is a terrible application, but unfortunately it is something we can no longer go without. 

     

    I think the devs need to look at SfB and recode it accordingly. Yes it is a graphics card problem as the DLL that flags up in links to the intel HD graphics drivers which update all the time, but they can just need to add that to hitmanpro's database.

     

    Unless  i can add that specific DLL to Exploit Mitigation Exclusions?