Central Admin – Some customers have reported performance issues within the People and Devices sections

Update June 15th – The update scheduled for June 15th/16th that includes the performance improvement for People/Device pages has been postponed. As soon as this has been rescheduled, we will update this article.

  • The update that occurred during the week of June 3rd – resolved the performance issue when searching and opening devices/people.
  • An update scheduled on TBD will help to improve initial page loading for People/Devices for customers with large amounts of devices/users. Expectation = ~5 seconds per 10k items (note this does not include network time, this is the UI display time after the data is received). Currently we are seeing the initial load taking longer than expected.
  • A second update is scheduled for July 28th which is expected to bring further performance improvements overall with the bulk People and User pages.

Original alert:

Sophos is currently investigating reports from some customers experiencing slow performance within the ‘People/Users’ and ‘Devices/Computers’ sections of the Sophos Central Dashboard.

Reported performance issues are experienced when certain actions, such as searching and opening users/devices, are taking ~5 to 10 seconds or more for some customers within the following sections:

  • Main Overview pages:
    • People = https://cloud.sophos.com/manage/bulk-users
    • Devices = https://cloud.sophos.com/manage/bulk-computers
  • This will also include the People/Device/Computer pages that also reside within other Sophos Central Product sections, such as Endpoint/Server/Encryption/etc.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Some Sophos customers may experience slower than expected performance while trying to work (search/open) within People and Device sections within Sophos Central.

Update June 5th – An update to Central is now completed which helps to address the excessive delays seen within the People and Devices sections. In addition to this update, there are two more planned in the near future to further improve overall performance of these bulk People and Device pages.

  • The update that occurred this week (week of June 3rd) – resolved the performance issue when searching and opening devices/people.
  • An update scheduled on June 16th will help to improve initial page loading for People/Devices for customers with large amounts of devices/users. Expectation = ~5 seconds per 10k items (note this does not include network time, this is the UI display time after the data is received). Currently we are seeing the initial load taking longer than expected.
  • A second update is scheduled for July 28th which is expected to bring further performance improvements overall with the bulk People and User pages.

If you are impacted by this performance issue, there are no actions that need to be taken. We will continue to update this article with any new information related to the resolution of this issue.

  • Note: If you are experiencing this issue and it is much worse than the 5~10 seconds per action delay, please raise a support case to our Technical Support team referencing this article so that further investigation can be performed.

If you are experiencing a different issue that is not related to the Users or Devices pages, please raise a support case to our Technical Support team for assistance/investigation.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Updated Advisory: Sophos Central Maintenance previously scheduled for Saturday June 15th, 2019 has been postponed

6/14/19 update: The scheduled maintenance referenced in this article has been postponed and will not take place this Saturday. We will update this Article when this maintenance has been rescheduled.

Original advisory:

Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday June 15th, 2019 starting at 13:00 (UTC). Expected time to complete maintenance is five hours.

  • There will be no disruption to protected endpoints during this time period.
  • This KBA and Sophos StatusCast page will reflect status of maintenance once started as in progress and then when it is completed

Applies to the following Sophos products and versions

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos Central Admin

Customers will see a banner show up in their Central Admin Dashboard indicating there is maintenance occurring and will be displayed throughout the maintenance period.

While we do not anticipate any interruption or degradation of service during the maintenance update, in some instances a customer may experience the following:

  • May be auto logged out of Central portal
  • New endpoint installations may take longer to complete.
  • May experience temporary latency within Central UI portals.
  • May experience a delay in policy rendering.

Should the above occur, please try again shortly and or once the Central maintenance has completed.

Upon the conclusion of the maintenance, the maintenance banner within the UI will be removed and the “What’s New” section in Sophos Central will be updated accordingly.

Sign up for the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux and for UNIX: Communication with Sophos Update Server uses HTTPS by default

This article is to advise that Sophos Anti-Virus (SAV) for Linux and for UNIX will use TLS secure protocol HTTPS to communicate with the online Sophos Update Servers.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux 9.14.2

Sophos Linux Security 10.4.0

Sophos Anti-Virus for Unix

From version 10.4 and 9.14.2 of SAV for Linux, SAV will use the secure TLS HTTPS protocol for communicating with the configured Update Server. This also applies to Enterprise Managed and standalone installations of SAV for Linux and SAV for UNIX, where updates are configured to the Sophos online Update location.

If an HTTPS connection cannot be established after a 10 minute timeout, it switches back to an HTTP connection automatically.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown, Spectre and ZombieLoad)

[LAST UPDATED August 7th 2018 – 11:27 UTC]

This article describes the implications, for Sophos customers, of the Kernel memory leak issues being discussed in the media, and which are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, as well as by patches to Apple and Linux. This article will continue to be updated when new information becomes available.

The following sections are covered:

The vulnerability involves a kernel memory leak known by names such as KPTI, KAISER and F**CKWIT. Additionally new research published on 03 Jan 2018 provides details of exploits that utilize this vulnerability, known as Meltdown and Spectre. The Sophos Naked Security blog has posted more details on this issue here.

  • For Microsoft products the vulnerabilities are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, see security advisory ADV180002 for details.
  • For Apple products see the following statement: About speculative execution vulnerabilities in ARM-based and Intel CPUs
  • Patches are available for Linux systems, we advise you to speak to your Linux Kernel vendor for more information.

Sophos Endpoint customers

On 03 Jan 2018 Microsoft released a Security Advisory (ADV180002) which includes advice on this vulnerability and links to security updates.

The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.

Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:

  • Sophos Central Endpoints/Servers
  • Sophos Enterprise Console Endpoints/Servers
    • Preview subscription
    • Recommended subscription
    • Previous Recommended subscription
  • Sophos Endpoint Standalone
  • Sophos Virtual Environment (SVE)
  • UTM Managed Endpoints
  • Sophos Home

IMPORTANT: For server operating systems, Microsoft states “Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities”. To enable the mitigations Microsoft customers need to enable three additional registry keys, these may cause performance issues and will not be set by Anti-Virus vendors. For more information see: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

NOTE: For Sophos Central customers currently enrolled in the Early Access Program (EAP) please see this article: Meltdown and Spectre – The chip bugs and Intercept X Early Access Program

For customers running Sophos Intercept X and/or Sophos Device Encryption only (ie without Sophos Anti-Virus), alongside a 3rd party Anti-Virus product. Please contact the 3rd party Anti-Virus vendor to check their compatibility with the Microsoft patch and if they have set the required registry key.

How to check if you have had the Sophos update

For customers who wish to confirm the Sophos update has been applied please see this article: Kernel memory issue affecting multiple OS: How to confirm you have the Sophos update.

Sophos Central customers using Controlled Updates will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to Resume Automatic Updating to receive the Sophos update that sets the registry key, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

Sophos Enterprise Control (SEC) customers using Fixed Extended subscriptions prior to 10.7.6 will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to move to a subscription that does contain the update, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

NOTE: Sophos has tested the compatibility of our products with the Microsoft patch, however you may be running 3rd party software that is not compatible with the patch. We recommend contacting your 3rd party vendors to confirm their compatibility.

Customers wishing to apply the patch now, ahead of the Sophos update can set the registry key manually as described in the Microsoft article: ADV180002. Alternatively you can manually download and apply the patch without the registry key.

Please note that Microsoft states “you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.”. For more information see Microsoft article: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities. We recommend that you test any firmware updates before deploying to your live environment.

Sophos Network customers

Listed below are Sophos network security products that utilize CPUs known to be vulnerable to these issues.

  • Sophos XG Firewall (Sophos Firewall OS) 16.5 and 17 (XG Series)
  • Sophos UTM (SG series) 9.5
  • Sophos Firewall Manager (SFM) 16.5
  • Sophos Web Appliance (SWA) 4.3.4
  • Sophos iView 3.0.1.1
  • Sophos Email Appliance (SEA)
  • Sophos RED
  • Cyberoam OS 10.6.6
  • Cyberoam Central Console 02.04.0 build 249
  • Cyberoam iView 0.1.2.8

These products require no patches or fixes for these CVE vulnerabilities based on the assessment that access to the appliance OS to load external code is restricted, therefore malicious code cannot be executed. We recommend to follow best practices to protect the access of privileged accounts.

At present there are three vulnerabilities linked to the kernel memory leak issue, these are:

Currently there are no known malicious threats exploiting these vulnerabilities. Sophos has released protection to help protect against this happening in the future. This protection will continue to be updated.

Threat name Sophos IDE Protection availability
Publication started Publication finished
Mal/Spectre-B zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-C
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-D
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-E
netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
OSX/Spectre-B netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
Mal/Spectre-A age-axyx.ide 2018-01-05 18:31 UTC
2018-01-05 20:34 UTC
JS/Spectre-A pdfu-dwf.ide
2018-01-06 07:35 UTC
2018-01-06 09:37 UTC
Mal/Meltdown-A msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-B msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-C inje-cyk.ide 2018-01-09 07:05 UTC
2018-01-09 09:08 UTC
Mal/Meltdown-D delf-gmj.ide
2018-01-10 04:57 UTC
2018-01-10 07:00 UTC

Sophos XG Firewall and Cyberoam IPS signatures have been added to protect against the specific CVE’s and sample code outlined in the Spectre and Meltdown whitepapers, and we will continue to update the IPS patterns as new variants are discovered, however we still recommend patches be applied to all affected systems as soon as they are available.

To ensure you have the latest protection please see this article: Sophos products: How to check if the product is up to date

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-virus for UNIX: Migrating a protected UNIX server managed by Sophos Enterprise Console to a Standalone (unmanaged) implementation

This article provides details on how to migrate a Sophos Enterprise Console (SEC) managed UNIX server to a Standalone implementation.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Enterprise Console 5.5.0

Enterprise Console 5.5.1

Sophos Anti-Virus for Unix version 9.15.x

Operating systems

Solaris SPARC, Solaris Intel, HP-UX and AIX running Sophos Anti-Virus version 9.15.x

Support for SEC-management of UNIX servers is due to end after 31 December 2019. Sophos will continue to support standalone deployments of Sophos Anti-virus for UNIX after this date. See Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms.

Sophos recommends customers migrate SEC-managed Sophos Anti-virus for UNIX deployments to standalone configurations before December 2019.

In a SEC-managed configuration, the UNIX server receives updates and policy changes from the Sophos Enterprise Console (SEC) and reports any detected threats back to the console. After migration to a standalone configuration, SEC will not receive any alerts or events and the SEC entry for the UNIX server will display the machine as inactive. The UNIX server will continue to receive updates from the Central Installation Directories (CIDs) on the SEC server, but the Sophos Enterprise Console will no longer manage the updates. If the SEC server is turned off, updates on the standalone UNIX server will stop unless a secondary update source is defined.

In order to obtain alerts for the standalone UNIX server following migration from Sophos Enterprise Console you will need to configure a valid email address.

Actions before migration

Before starting please confirm whether scheduled scans have been created within the Sophos Enterprise Console and named using a double-byte non-ASCII character set. If so, please refer to the notes below for additional actions.

The ability to perform a migration to a standalone implementation is available as a new de-registration command line option with SAV for Unix v9.15.0 and later. After migration all configuration and management tasks for the UNIX server will require the use of the SAV command-line interface. There are some tasks which are simpler to perform on the SEC server before migration, including:

  • Configure a Secondary Update Server via SEC server before the migration. Please review the chapter titled Configuring the updating policy in the Sophos Enterprise Console help guide for details on configuring a Secondary Update server.
  • Setup all necessary email alerting. Please review the chapter titled Setting up alerts and messages in the Sophos Enterprise Console help guide for details on setting email alerting.

To initiate the migration to a standalone deployment, run the following command on your UNIX server.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

# /opt/sophos-av/bin/savdctl deregisterRMS

  • The de-registration process first stops the UNIX server reporting to the Sophos Enterprise Console (SEC) by stopping and removing Sophos’ Remote Management Services(RMS).
  • AutoUpdate is then configured on the standalone server with the update period that was configured in SEC.
  • The update source details are then copied from the Sophos Enterprise Console.
  • Any configured named scans are migrated to the standalone server. The name used to identify the scans is changed slightly from SEC:nameofscan to SEC_nameofscan. This is to help you to distinguish scan configurations that are migrated from SEC, from any newly created scans.
  • The process then migrates the email alert and messaging configurations from the Sophos Enterprise Console to the standalone deployment.
  • The output of the migration can be viewed in /opt/sophos-av/log/deregisterRMS.log

After migration

The entry for the migrated UNIX server is not removed from Sophos Enterprise Console. If required, entries remaining in SEC can be cleaned up after migration by deleting them in the console.

Note: If the UNIX updates are removed from the subscriptions in the Sophos Enterprise Console, then the CID UNIX update location will no longer be updated. This could cause the protection on the migrated standalone UNIX server to become out of date, even if a secondary source is available. In this situation, reconfigure the standalone server with a current and valid update source.

Air Gapped: In an Air Gapped environment, where the UNIX endpoint was receiving updates from a SEC server. The process used to update SEC should continue to include UNIX updates. This will ensure the UNIX server receives updates after moving to a standalone un-managed state.

Additional considerations for non-ASCII character scheduled scans

The deregisterRMS command needs to migrate scheduled scans that have been created within the Sophos Enterprise Console. The command can not process scans named using non-ASCII characters: Running deregisterRMS in C locale will fail.

As a workaround you can either

  1. Change names of scheduled scans only use ASCII characters
  2. OR Run deregisterRMS in a UTF-8 locale (LC_ALL and LANG environment variables)

    for example change environment:

AIX: LANG=JA_JP

HP-UX: LANG=ja_JP.utf8

Solaris: LANG=ja_JP.UTF-8

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Sophos Central – MFA option disabled after changes were made to their login and sync d via the Central AD-Sync utility.

Note: This was fixed in a May 22nd release, but understand that this may still be occurring.

Sophos is investigating an issue between Central Admin AD sync utility and MFA enabled Central Administrators (eg. Read only, Helpdesk, Admin, or Super Admin).

Some customers are reporting that after changes are made to a Central Login that has Central Multi-Factor Authentication (MFA) enabled (either a change within Central itself, or change within Active Directory) – the MFA requirement for login is being incorrectly disabled. When this happens, users will only be asked for their Central Login.

Some of the changes to login records that may trigger this issue after re-syncing via the Central AD sync utility include:

  • Adding, or removing user from groups (AD)
  • Adding, or removing email aliases (AD)
  • Changing email, or login info (AD)
  • Changing name (AD)
  • Editing logins (Central)

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

  • Affects Central Admin customers that use MFA login option AND use the Central AD sync utility AND a change has been made to that users record within either Active Directory or within Central Dashboard.
    • Affected Central logins that had MFA previously enabled, will be able to login with just their Central login password.
  • There are no errors or indication when this issue occurs. An administrator will only notice that they are no longer being asked to enter MFA when logging into Sophos Central.

Development is aware and currently working on a resolution.

  • Until this issue is resolved, Sophos recommends not making any changes to a users record within Active Directory or within Central Admin if they also have MFA Central login enabled.
    • Federated/Azure logins are not affected by this.
  • Affected customers should follow the ‘Workaround‘ section below.
  • Turn off and re-enable MFA for the affected user(s).
    • Any user who was affected will be re-prompted to set up MFA again on next login
    • Any user who was not affected, will not see any changes.
  • To do this, go to Global Settings–>Multi-Factor Authentication (MFA) which is under the ‘General‘ section.

    Note: that this Global setting is available to Super Admin level logins only.

    • Whether you currently have the option ‘All admins need MFA‘ or ‘Select admins who will need MFA‘ selected, perform the following steps:
      • Turn off MFA (the first radio button)
      • Choose the ‘Save’ button.
      • Until issue is resolved, make any changes you need for your users with MFA logins and perform an AD sync before re-enabling MFA.
      • Re-enable the MFA option you had previously selected (previously selected admins are remembered)
      • Choose the ‘Save button.
    • Any impacted Admins will now be prompted to re-set up MFA during the next login to Central Admin.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Resolved – Advisory: Sophos XG Firewall – Exim Remote Code Execution vulnerability

Sophos is aware of a vulnerability in the 3rd party component Exim that is used in Sophos XG Firewall. This vulnerability only applies if a customer has enabled email protection and recipient verification is disabled. This article describes the recommended steps to secure the XG Firewall if customers are using the email protection functionality.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos XG Firewall version 17.5.5.433, 17.5.3.372, 17.5.4.429, 17.5.0.321 and 17.5.3.347.

CVE-2019-10149: Exim RCE described here.

The following XG Firewall versions are impacted if email protection is used and Recipient verification is not turned on.

  • SF 17.5.5.433
  • SF 17.5.3.372
  • SF 17.5.4.429
  • SF 17.5.0.321
  • SF 17.5.3.347

To verify your Firewall firmware and build versions, use the following console command:

system diagnostics show version-info

To prevent the Exim Remote Code Execution (RCE), XG admin could configure XG Firewall more securely. Log in to XG webadmin console and do the following for each active SMTP policy:

  • Enable Recipient verification – via call out method or via Active directory lookup whichever is applicable to your internal domain.

A hotfix has been released and pushed to all affected XG Firewalls.

To validate that your XG Firewall has received the hotfix, run the following console command:

system diagnostics show version-info

The Hot Fix version should be 7.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux/Unix: Central configuration of the Remote Management System

This article describes how to apply Central Installation Directory (CID) based Remote Management System (RMS) configuration, which is useful in several circumstances:

  • Changing the ParentAddress / ParentRouterAddress after a server migration
  • Changing ParentRouterAddress to use a message relay
  • Changing the ParentAddress / ParentRouterAddress when the server IP address is behind a NAT firewall
  • It is not possible to change the ports used by RMS with this method.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Unix

The method will depend on whether endpoint installations have already been deployed or not:

  • Option 1 – Pre-Installation (mrinit.conf)

    Before installation, edit the mrinit.conf file in the root of the CID. Eg:

    SophosUpdateCIDsS000savlinuxmrinit.conf

    If using this method, you must uninstall Sophos Anti-Virus from any endpoint that has already used the existing mrinit.conf, and re-install afterwards.

  • Option 2 – Post-Installation (mrinit.custom)

    To centrally edit RMS information on existing endpoints, you can create a mrinit.custom which will be selected in preference to mrinit.conf.

    Make a copy of mrinit.conf and edit the required values (eg. ParentAddress, ParentRouterAddress). Save the new file as mrinit.custom in the root of the CID. Eg:

    SophosUpdateCIDsS000savlinuxmrinit.custom

    Endpoints will automatically select mrinit.custom when they next perform an update from the CID.

If you are familiar with ConfigCID.exe it should be noted that this is not required/will not work in the scenario above.;

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Detection s of CXmail/OleDl-AF on Office documents (June 5th 2019)

Sophos is aware that starting today (June 5th) a limited amount of customers have reported detections of CXmail/OleDl-AF. This detection is affecting Office documents (e.g. Excel, Word) that have macros and are being sent via email.

The CXmail/OleDl detection is designed to identify malicious office documents that are sent via email, a recent change to this detection has caused some false positives to occur. A fix for this was published at 11:14 UTC June 5th in the identity: rans-flr.ide.

If you are experiencing this issue please ensure your Sophos products are using the latest update: Sophos products: How to check if the product is up to date

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint/Server and Email products.

The issue has been resolved.

If you are still experiencing issues please check your Sophos product is up to date: Sophos products: How to check if the product is up to date

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Following the release of Central Intercept X 2.0.5 (HitmanPro.Alert version .745) customers may encounter an Intruder or SafeBrowsing alert on Internet Explorer or Chrome

An issue has been identified in Central Intercept X 2.0.5 (HitmanPro.Alert version .745) where a False Positive ‘Intruder’ or ‘SafeBrowsing’ alert on Internet Explorer or Chrome can occur if the customer is running LANDesk software.

To verify that this issue is the same the below alerts can be seen in the Windows Application Event Log:

Internet Explorer

Log Name: Application

Source: HitmanPro.Alert

Date: xxxxxx

Event ID: 911

Task: Intruder

Level: Error

Opcode: Info

Keyword: Classic

User: N/A

User Name: N/A

Computer: xxxxxxx

Description:

Intruder

PID 28164

Application C:Program Files (x86)Internet Exploreriexplore.exe

Description Internet Explorer 11

Detour Report

# Address Owner Disassembly

-- ---------- ------------------------ ------------------------

WSASend *

1 0x7487FD30 WS2_32.dll JMP DWORD [0x7194001e]

2 0x7195000A (anonymous)

send *

1 0x74885FF0 WS2_32.dll JMP DWORD [0x719a001e]

2 0x719B000A (anonymous)


Backwards compatible thumbprint:

a5f9ab19d47fe7a1c2c93bc08965085ab3052d8a17b031fe1880ca8f738588bf

Code Injection

71A60000-71A61000 4KB C:Program Files (x86)LANDeskLDClientSoftMon.exe [4444]

Thumbprint

0e2377869e2effd83e4fa51a313db22a650a838d2e29de13425b4f47386470be

Google Chrome

Log Name: Application

Source: HitmanPro.Alert

Date: xxxxxxx

Event ID: 911

Task: Intruder

Level: Error

Opcode: Info

Keyword: Classic

User: N/A

User Name: N/A

Computer: xxxxxxx

Description:

Intruder

PID 25488

Application C:Program Files (x86)GoogleChromeApplicationchrome.exe

Description Google Chrome 67

Detour Report

# Address Owner Disassembly

-- ------------------ ------------------------ ------------------------

WSASend *

1 0x00007FFA7D8F9F40 WS2_32.dll JMP QWORD [RIP+0x19260f0]

2 0x00007FFA7EE3000E (anonymous)

send *

1 0x00007FFA7D8FB0C0 WS2_32.dll JMP QWORD [RIP+0x1504f70]

2 0x00007FFA7EDF000E (anonymous)


Backwards compatible thumbprint:

f847b753c9b1697074ea821a3b3d701a6e4f5113ca3abbedf952818d3ced4c10

Code Injection

000007FEFFFF0000-000007FEFFFF1000 4KB n/a [13428]

Thumbprint

b3de04c1095b18b8280a3580b7b9423cc04611b5a15d3af79da6a53a664a1189

This issue will only affect Sophos customers running LANdesk software.

Applies to the following Sophos product(s) and version(s)

Sophos Central Intercept X 2.0.5

Customers' browser sessions may be interrupted by the alert being triggered.

Sophos Developers are currently investigating this issue as a false positive detection.

If you encounter this issue please raise a case with Sophos Support.

The current workaround is for Sophos customers to disable 'Protect critical functions in web browsers (Safe Browsing)' in their Threat Protection policy. This will stop the false positive detection from occurring.

This article will be updated when further information is available

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts