Advisory: Following the release of Central Intercept X 2.0.5 (HitmanPro.Alert version .745) customers may encounter an Intruder or SafeBrowsing alert on Internet Explorer or Chrome

An issue has been identified in Central Intercept X 2.0.5 (HitmanPro.Alert version .745) where a False Positive ‘Intruder’ or ‘SafeBrowsing’ alert on Internet Explorer or Chrome can occur if the customer is running LANDesk software.

To verify that this issue is the same the below alerts can be seen in the Windows Application Event Log:

Internet Explorer

Log Name: Application

Source: HitmanPro.Alert

Date: xxxxxx

Event ID: 911

Task: Intruder

Level: Error

Opcode: Info

Keyword: Classic

User: N/A

User Name: N/A

Computer: xxxxxxx

Description:

Intruder

PID 28164

Application C:Program Files (x86)Internet Exploreriexplore.exe

Description Internet Explorer 11

Detour Report

# Address Owner Disassembly

-- ---------- ------------------------ ------------------------

WSASend *

1 0x7487FD30 WS2_32.dll JMP DWORD [0x7194001e]

2 0x7195000A (anonymous)

send *

1 0x74885FF0 WS2_32.dll JMP DWORD [0x719a001e]

2 0x719B000A (anonymous)


Backwards compatible thumbprint:

a5f9ab19d47fe7a1c2c93bc08965085ab3052d8a17b031fe1880ca8f738588bf

Code Injection

71A60000-71A61000 4KB C:Program Files (x86)LANDeskLDClientSoftMon.exe [4444]

Thumbprint

0e2377869e2effd83e4fa51a313db22a650a838d2e29de13425b4f47386470be

Google Chrome

Log Name: Application

Source: HitmanPro.Alert

Date: xxxxxxx

Event ID: 911

Task: Intruder

Level: Error

Opcode: Info

Keyword: Classic

User: N/A

User Name: N/A

Computer: xxxxxxx

Description:

Intruder

PID 25488

Application C:Program Files (x86)GoogleChromeApplicationchrome.exe

Description Google Chrome 67

Detour Report

# Address Owner Disassembly

-- ------------------ ------------------------ ------------------------

WSASend *

1 0x00007FFA7D8F9F40 WS2_32.dll JMP QWORD [RIP+0x19260f0]

2 0x00007FFA7EE3000E (anonymous)

send *

1 0x00007FFA7D8FB0C0 WS2_32.dll JMP QWORD [RIP+0x1504f70]

2 0x00007FFA7EDF000E (anonymous)


Backwards compatible thumbprint:

f847b753c9b1697074ea821a3b3d701a6e4f5113ca3abbedf952818d3ced4c10

Code Injection

000007FEFFFF0000-000007FEFFFF1000 4KB n/a [13428]

Thumbprint

b3de04c1095b18b8280a3580b7b9423cc04611b5a15d3af79da6a53a664a1189

This issue will only affect Sophos customers running LANdesk software.

Applies to the following Sophos product(s) and version(s)

Sophos Central Intercept X 2.0.5

Customers' browser sessions may be interrupted by the alert being triggered.

Sophos Developers are currently investigating this issue as a false positive detection.

If you encounter this issue please raise a case with Sophos Support.

The current workaround is for Sophos customers to disable 'Protect critical functions in web browsers (Safe Browsing)' in their Threat Protection policy. This will stop the false positive detection from occurring.

This article will be updated when further information is available

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Leave a Reply