Good Morning, On certain machines we have been getting this error "'Lockdown' exploit prevented in Windows Command Processor" in the events logs it says: Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 11:22 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:21 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:15 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:14 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:04 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:04 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 11:02 AM Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe' CHSEWKS08 Jul 31, 2018 10:50 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:50 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:47 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:46 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:46 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:36 AM 'Lockdown' exploit prevented in Windows Command Processor CHSEWKS08 Jul 31, 2018 10:36 AM 'Lockdown' exploit prevented in Windows Command Processor We are trying to install a new update for a program, this program updates through java, but we added the file path to the global scanning list and still no luck. But looking at the root cause Analysis is shows: Detection name: Lockdown Root Cause: iexplore.exe Possible data involved: no business files So the root cause is saying something totally different than what the actual event log is showing. I have been reading the forums for 2 days now trying to figure this out and have not found any solution, so I am hoping someone could point me in the right direction into trying to solve this issue. Thank you.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

'Lockdown' exploit prevented in Windows Command Processor

Good Morning,

On certain machines we have been getting this error "'Lockdown' exploit prevented in Windows Command Processor"

in the events logs it says:

Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 11:22 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:21 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:15 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:14 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:04 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:04 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 11:02 AM	Nothing found to clean up: 'Windows Command Processor' at 'C:\Windows\SysWOW64\cmd.exe'	CHSEWKS08
		Jul 31, 2018 10:50 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:50 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:47 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:46 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:46 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:36 AM	'Lockdown' exploit prevented in Windows Command Processor	CHSEWKS08
		Jul 31, 2018 10:36 AM	'Lockdown' exploit prevented in Windows Command Processor

We are trying to install a new update for a program, this program updates through java, but we added the file path to the global scanning list and still no luck.

But looking at the root cause Analysis is shows:

Detection name:	Lockdown
Root Cause:	iexplore.exe
Possible data involved:	no business files

So the root cause is saying something totally different than what the actual event log is showing.

I have been reading the forums for 2 days now trying to figure this out and have not found any solution, so I am hoping someone could point me in the right direction into trying to solve this issue.

Thank you.

This thread was automatically locked due to age.

Parents

0 Barb@Sophos over 6 years ago

Hello KMurvay,

Here's an entry for Root Cause Analysis for exploits that could help.You should also be able to find a 911 event in the Windows Event viewer, providing more details.
If you are sure that this is a False positive, you can then create an exclusion for it.

To report a FP for analysis:
Intercept X: How to report false positives

To add exclusions for false positives:

Log in to Sophos central and go to:

Global Settings / Global Scanning Exclusions
Click Add Exclusion
Set Exclusion type to Detected Exploits
See if you can find it listed there.

Additionally, you can add an application to your exclusions as needed (again, only follow these if you are sure you are dealing with a false positive).
Global Settings/ Exploit Mitigation Exclusions
Click Add Exclusion

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Barb@Sophos over 6 years ago

Hello KMurvay,

Here's an entry for Root Cause Analysis for exploits that could help.You should also be able to find a 911 event in the Windows Event viewer, providing more details.
If you are sure that this is a False positive, you can then create an exclusion for it.

To report a FP for analysis:
Intercept X: How to report false positives

To add exclusions for false positives:

Log in to Sophos central and go to:

Global Settings / Global Scanning Exclusions
Click Add Exclusion
Set Exclusion type to Detected Exploits
See if you can find it listed there.

Additionally, you can add an application to your exclusions as needed (again, only follow these if you are sure you are dealing with a false positive).
Global Settings/ Exploit Mitigation Exclusions
Click Add Exclusion

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data