SAV: Hyper-V issues on Windows 10 version 1709

We have had several reports of systems running the latest Windows 10 version 1709 having issues when trying to start Hyper-V vm’s. This happens when Intercept X or Exploit Prevention are present. VMs will not start.

This is corrected in Intercept X 2.0 (for Sophos Central).

SEC-Managed Endpoints (Exploit Prevention) have corrected this in Build 734, which was released in late February 2018.

Applies to the following Sophos products and versions

Central Endpoint Advanced 11.5.9

Central Endpoint Standard 11.5.9

Sophos Endpoint Security and Control 10.7.6

Sophos Endpoint Security and Control 10.7.2

Applies to the following Operating system

Windows 10 version 1709

  • Cannot start Hyper-V vm’s.

Update:

This is corrected in Intercept X 2.0 (for Sophos Central).

SEC-Managed Endpoints (Exploit Prevention) will be getting this update late February.

Update 2:

SEC-Managed Endpoints (Exploit Prevention) have this updates as of the 734 build, which they got in late February 2018.


To verify the version of the operating system, from the Run command or a Command prompt, enter “winver.exe”.

The process c:windowssystem32vmcompute.exe is used by Hyper-V, and conflicts with Intercept X / Exploit Prevention as of Windows 10 version 1709. This process needs to be excluded from Intercept X / Exploit Prevention.

To obtain this workaround, please contact Sophos Support.

This issue has been corrected. Please ensure the Endpoint software is updating successfully.


This article will be updated when information becomes available.

This issue is now fully resolved.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: How to block JavaScript cryptominers

Sophos Web Control can be used to block users from accessing websites categorized as hacking, thus web-based cryptominers are blocked. This feature is both available on the Sophos endpoint and network security products.

This article provides instructions on how to ensure protection against JavaScript cryptominers hosted on a website, such as Coinhive.

Note: This affects the websites that users can visit. It is recommended to test the policy first before deploying them.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos UTM

Sophos Web Appliance

Sophos Firewall

Sophos Endpoint Security

Sophos Central Admin

Sophos Home

Sophos Central Admin

Sophos Enterprise Console managed endpoints and servers

  1. Open Sophos Enterprise Console.
  2. Navigate to Policies > Web Control.
  3. Right-click on the web control policy that is to be changed and select View/Edit Policy
  4. From the General tab, select Enable web control.
  5. Make sure Hacking is set to Block.
  6. Click OK and confirm the changes within the policy.

Sophos Central managed endpoints and servers

  1. Log in to Sophos Central.
  2. Navigate to Endpoint Protection or Server Protection.

  3. Go to Policies > Web Control then select the policy you want to change.

  4. Select the Settings tab and make sure Web Control is enabled.

  5. Under Acceptable Web Usage, click View Details and find Adult and potentially inappropriate categories.

  6. Click View More and make sure Hacking is set to Block.

Sophos Home

  1. Log in to Sophos Home
  2. On the dashboard, select the computer to where the settings will be applied.

  3. Go to Web Filtering tab and in the Adult & Potentially Inappropriate section ensure that Hacking it set to Block.

Sophos XG Firewall

  1. Navigate to Protect > Web > Policies > then expand the policy you need to modify.

  2. Click on the + symbol then select Add Rule Above.

  3. Click on the corresponding item under Activities column then click Add New Item.

  4. Select Show Only > Web Category.

  5. Untick ALLWebTraffic, if it is ticked.

  6. Scroll down to locate and select Hacking > click on Apply 1 selected items.

  7. Ensure that the status of the rule is set to Block HTTP and is enabled.

Sophos UTM

  1. Navigate to Web Protection > Web Filtering > Policies.
  2. Select Default content filter action.

  3. On the Categories tab, set the Criminal Activities category to Block > click Save.

Note: The Category of Criminal Activities contains multiple web categories inside it, including the Hacking category needed to block cryptominers.To edit these categories, select Web Protection > Filtering Options > Categories.

Sophos Web Appliance

  1. Navigate to Configuration > Group Policy > Default Policy.
  2. Set the Hacking category to Block.

  3. Click Apply.

For instances that you want to block hacking websites but authorize cryptominers, follow the steps on how to authorize JavaScript Cryptominers. To understand more about cryptominers and why Sophos blocks them, see Web based cryptominers are malware.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Live Protection: Overview

This article provides a high level overview of what Sophos Live Protection is. More details on how it works can be found here.

Applies to the following Sophos product(s) and version(s)

Not product specific

Sophos Live Protection – What is it?

As malware continues to rapidly evolve and grow, Sophos has realized that it needs a way to enhance existing data updates with a system to keep endpoint protection up to date in real-time. This was done to both improve the response time to new malware and reduce the amount of data delivered to the endpoints.

LiveProtection was added to give the endpoint the ability to ‘lookup’ files in real-time to verify if they are malicious. Over the past few years it has proven very effective at stopping new malware outbreaks and protecting our customers.

Sophos Live Protection can perform the following tasks:

  • Perform cloud look-ups against individual files to determine if safe/malicious

    If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file data (such as its checksum and other attributes) is sent to Sophos to assist with further analysis. This is known as ‘in-the-cloud’ checking: it performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.

  • Automatically send sample files to Sophos

    If a file is considered suspicious, but cannot be positively identified as malicious based on the file data alone, you can allow Sophos to request a sample of the file. If this option is enabled, and Sophos does not already hold a sample of the file, the file will be submitted automatically. Submitting sample files helps Sophos to continuously enhance detection of malware.

    Note: Consider your individual IT data compliance needs before enabling this option.

How does it work?

LiveProtection will perform a lookup for any file it suspects of being malware; the following events will trigger a lookup

  • Whenever a file is added to the endpoint’s quarantine manager.
  • Whenever reported internally by the anti-malware engine that a file is deemed suitably suspicious.
  • Whenever reported internally by anti-malware engine that a file is to be checked against a allow list defined by SophosLabs. (The allow list is maintained by SophosLabs and contains a list of common and system files which the product should cache to improve performance.)

Lookups – further information

LiveProtection performs a lookup to ensure the most up to date protection as new information could have been discovered about the file since the last time it was scanned.

Lookups contain a limited amount of information and are designed to help SophosLabs analysts to package up specific malware related information (such as function bytes or other properties required) to increase accuracy of detections.

Lookups are performed over DNS and the average endpoint perform a large number lookups per day depending on the level of activity. During scheduled and on-demand scans the number will increase as all files on the system will be accessed which triggers an increased number of lookups compared to normal operations.

Related:

Central Installs on Server 2008 and Vista failing with Thin Installer

Due to a change made in Central that coincided with the release of the Thin Installer in January 2018, Windows Server 2008 and Windows Vista clients are failing new installs. In the Central status it may say “Installation Caught Bcrypt Algorithm not available”. This is due to moving to a newer algorithm that is not support on Server 2008 or Vista. Note: Server 2008 R2 is not impacted by this issue, as it has an updated Bcrypt library.

Applies to the following Sophos product(s) and version(s)

Sophos Central Managed Server 1.5.4

Central Endpoint Advanced 11.5.11

Installation will not proceed on these operating systems (Windows Server 2008 and Windows Vista)

A resolution has been deployed and all new installations will succeed on Server 2008; Windows Vista is still effected.

A policy re-render has also been completed and telemetry shows that Windows Server 2008 updating is now working as expected.

No further action required.

As Required

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

APC Violation exploits detected – Jan 12th 2018.

[Updated 18th Jan 2018 – 13:01 UTC]

For the majority of endpoints affected by this issue it was automatically resolved on Saturday 13th Jan 2018. If you are still experiencing issues with ‘APC Violation’ detections which may cause computer screens to flash, please contact Sophos Support for assistance.

Please note: That while the issue may be resolved and files will no longer be getting blocked, you may have a backlog of messages (popups) that are still queued to be displayed on the endpoint. These messages can be ignored and will stop when the queue has been processed.

You can manually clear this backlog by deleting all the files in: C:ProgramDataSophosHealthEvent StoreIncoming

Then reboot the machine to clear any queued in memory.

Sophos is aware that a small amount of customers have reported multiple detections of ‘APC Violation’ exploits being detected in a variety of files, including SophosClean.

Applies to the following Sophos product(s) and version(s)

Sophos Intercept X

Legitimate applications being detected causing some applications to crash.

Sophos has confirmed the detections are an incorrect detection (not malicious). A fix for this is has been confirmed and is being rolled out to customers automatically now. Please be aware that it make take a few hours to reach everyone. No actions are required to be taken for this fix to be applied, providing an effected endpoint is online and connected to the Sophos Central console it will receive the fix.

The fix for this issue will be applied automatically to any affected endpoints providing they are online and able to connect to the Sophos Central Console.

Customers who wish to speed up the application of the fix can use the following instructions to refresh their policies and disable the APC Violation exploit feature.

  1. Navigate to an Endpoint Threat Protection policy
  2. Under ‘Runtime Protection’ un-check the ‘Protect media applications’ option
  3. Save the policy
  4. Edit the policy again and enable the same ‘Protect media applications’ option
  5. Save the policy
  6. Repeat this process for all Endpoint Threat Protection policies

The rollout has now been completed.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-Virus for Unix: Work around for savlog –systemlog on HP-UX

This article describes an issue with HP-UX and savlog.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Unix

When running savlog –systemlog on HP-UX this fails with an error message.

Please grep your system log for sav to find SAV related log entries.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Security update for users of Web Application Firewall (WAF) in Sophos XG Firewall

A cross-site scripting (XSS) vulnerability within the WAF component of the Sophos XG Firewall operating system (SFOS) has been discovered.

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. The vulnerability could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall

For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required.

Customers who have changed their default settings will need to apply the update manually.

Customers who do not have the WAF turned on are not vulnerable but will proactively receive the security update.

Remediation

SFOS version Security update distributed
Version 16.01 and above

Version 17 (all releases)
December 29, 2017
Version 15 (all releases) Upgrade to current SFOS version
  • What products are affected?
    • Firewall and UTM appliances running SFOS (could be running Sophos or Cyberoam hardware)
  • Which product versions are affected?
    • All versions of SFOS
  • Exception
    • Sophos UTM customers who are not running SFOS
    • Cyberoam customers who are not running SFOS

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: SQL injection vulnerability on Cyberoam Firewall devices

A SQL injection vulnerability has been discovered in Cyberoam appliances running the Cyberoam operating system (CROS) that allows for unauthenticated remote code execution.

A small percentage of appliances have been impacted by a cryptominer that consumed CPU cycles, and our investigations have found no evidence that any data has been compromised or exfiltrated from those appliances.

For customers running CROS version 10.6.1 and above that use the default setting of automatic updates, the hotfix was automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.

CROS Version

Patch Distributed

Version 10.6.3 and above

December 7, 2017

Version 10.6.1, 10.6.2.x

December 8, 2017

All versions prior to 10.6.1

Upgrade to current CROS version

If you have any further questions please contact Sophos Support.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory Sophos Wireless affected by WPA and WPA2 vulnerabilities with key reinstallation attacks (KRACKs)

A vulnerability in the WPA2 protocol has been discovered and could allow an attacker to read encrypted information. This attack affects all WPAWPA2 protected WI-Fi Networks as the vulnerability is with the Wi-Fi WPA/WPA2 standard and not any individual products or implementations.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA/WPA2 protocol:

Sophos products affected:

  • Sophos UTM Wireless
  • Sophos Firewall Wireless
  • Sophos Central Wireless

All Sophos wireless products are affected: Wireless Protection in XG Firewall, Sophos UTM as well as Sophos Central Managed Wireless. Sophos will release patches as soon as they are made available.

The Wireless team is currently working on the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days.

The below list shows the scheduled patched version to correct the WPA/WPA2 vulnerability and expected release dates. All dates and version numbers are subject to change.

  • Sophos UTM:
    • 9.5 SR 2 (9.505) : 2017-10-20
    • 9.4 SR 3 (9.415) : 2017-11-06
  • Sophos Firewall:
    • v16.5 : 2017-10-20 (AP firmware)
    • v17.0: 2017-10-23
  • Cloud Wireless: 2017-10-20
  • Cyberoam UTM: Cyberoam is not affected by this vulnerability
  • Apply patches as soon as they are available. Sophos will update this article whenever a patch is released to fix the vulnerability.
  • Customers can reduce their exposure to the vulnerabilities by disabling the Fast Roaming options and disabling Mesh.
  • Exposure to these vulnerabilities can be reduced by patching the wireless client or the access point. In most cases a patch for the wireless client will greatly reduce the chances of being attacked, even if the AP is still vulnerable. Microsoft and many other vendor’s have released patches that help block against these exploits.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: SAV for AIX emergency release 9.14.1

SAV update will fail on AIX if an IPv6 address is added to an IPv4 network adapter. This issue has been fixed in 9.14.1 for SAV for AIX.

Applies to the following Sophos products and versions

Sophos Anti-Virus for AIX

This issue has been fixed in 9.14.1 for SAV for AIX.

Follow the steps in SAV for UNIX (AIX) fails to update over UNC after upgrading to 9.14.0 and upgrade to 9.14.1.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts