Sophos Central / Intercept X and Skype for Business

Hey there,

 

We have some Major issues while using Sophos Central Endpoint / Intercept X and Skype for Business. Every time someone wants to start a videocall our SfB Client is crashing. There is no entry in the Sophos Eventlog that something blocks SfB or something issn´t permitted. SfB Calls without Video does´nt causing any Errors or Crash. If we deinstall the Sophos Agent everything is fine.

Does someone have similiar Problems and mabye a practical Solution for this Problem.

 

  • In reply to Root___:

    I agree that wasn´t the answer i want to hear. It sounds more then "It´s not our fault, its the fault from MS". 

    No you only can add preconfigured Applications in the Exclusion.

  • Ahahahaha! I cannot believe i have been dealing with this for weeks now and its actually sophos causing all the problems. I guess this is why they recommend disabling virus scanners while you are troubleshooting. Luckily i got lucky, because while i was waiting for office to reinstall i searched around and found this thread on technet:

     

    https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sfb-mso_other/sharing-video-crashes-skype-for-business-and-skype/23db9c16-fc97-4645-9eb5-898165aa1433

     

    Where they finger, sophos and specifically intercept X which we yes, coincidentally deployed around the same time we started noticing this issue.

    I havent tried any work around yet, but sophos really? you need to fix this. Having some work around or having to exclude executables is BS. Is this block even logged anywhere on the sophos console? how the heck could people assume an application crash has to do with sophos? seeing as skype for business isnt the most stable application at the best of times, im sure most people would blame skype first.

    And this isnt some rinky dink application, its the most popular video conferencing application out there today for business! its simply unbelievable that you have known about this problem for months now and not done a damn thing to address it.

     

    https://software.intel.com/en-us/forums/intel-media-sdk/topic/591864

     

    edit: the workaround of excluding skype for business did work. But it was a bit hard to find.

    1) log into sophos central console

    2) click on MY product -> Endpoint protection

    3) click settings

    4) configure -> settings

    5) Endpoint Protection - Exploit Mitigation Exclusions

    6) add "skype for business" from dropdown list (i know not where this is populated from)

     

    of course it means that a virus writer need only to fake an executable to be skype for business and then they get in. I will echo the other posters alarm at having to exclude software from the virus scanner as a recommended resolution. This is obviously a false positive or a bug and should be fixed ASAP. Man hours are being lost troubleshooting this ridiculousness which is costing everyone time and money. Not to mention the amount of failed video calls calling into question our entire skype for business system over the last few weeks and having people lose confidence in the system, which sometimes takes YEARS to earn back.

    Its simply unacceptable!!!!

     

     

  • In reply to givemecontrol:

    I agree with the fact that nothing has been done about this is unacceptable. The intel graphics DLL is what pops up as an exploit however pushing out the reg fix that was posted works for the most part. We used GP to apply that regrix upon signing in. This resolved the issue, however this still needs to be address in further versions of Sophos. 

    Putting an entire application in an exception list isn't really a fix as it can open up major vulnerabilities. However the regfix doesn't so i would recommend the regfix rather than putting the entire application in the exceptions list. 

  • I just deployed Sophos Central and am also having this issue.  Need this resolved ASAP.

  • In reply to Ernestbaidoo:

    Well then use my work around. Did that not work?

  • In reply to givemecontrol:

    Only thru the exclusion, the registry key wasn't present on the machines in my environment.  Also, this is for skype and not skype for business.

  • In reply to Ernestbaidoo:

    This was fixed for Skype for Business in a recent update. If your issue is with Skype i would suggest opening a new thread. 

  • In reply to jak:

    Hi 

    Company recently started using Skype for business and as we already use Sophos Central and Intercept X started getting this issue starting up video calls, for the most part we'd only seen this on HP laptops so links to the video driver in use seams to be relevant.

    During testing we played with the admin setting and overrides, found that with Runtime Protection options off we still got the issue but with all options overridden Video calls would start and as long as Skype app wasn't restarted they would still work when everything was turned back on, which points to the files/keys mentioned being accessed then "protected" by Sophos as the root cause

    As per the above advise I add Skype For Business to the Exploit Mitigation Exclusions this worked for us. 

    I'd rather we didn't have such a glaring hole in the protection but as it's our standard IM client globally and this "fixed" the problem it may have to remain as such. Hopefully our other layers of protection cover us.