How to allow use of SetWindowsHookEx() and WriteProcessMemory() to inject DLLs into an application ?

Do you know what mitigation this is alerted as? LoadLibrary? Have you confirmed there is a "detection" for this?  If you create a trial of Sophos Central, install to a computer, run your app, if you get a detection, the details will be in the application event log (eventid 911) and the same details will be shown in Central in the details view.  From there you can authorize it in various ways.

Do you know what mitigation this is alerted as? LoadLibrary? Have you confirmed there is a "detection" for this?  If you create a trial of Sophos Central, install to a computer, run your app, if you get a detection, the details will be in the application event log (eventid 911) and the same details will be shown in Central in the details view.  From there you can authorize it in various ways.

Thanks for your input.

I assume that Sophos is blocking the injection of DLLs, attempted by any of the three common Windows methods.

Please describe the method(s) of authorization, so that I can pass instructions to the tech staff at the cloud vendor.

You're probably better of testing this yourself end to end to see the workflows as it really depends on if and how the application is detected.  There is a chance the different load module mitigations may fire differently if it's loadlibrary calls, reflective dll injection, etc.

It only takes a minute to create a Central account which is fully featured for 30 days at central.sophos.com.  To protect a computer takes about 10 minutes.  So in 15 mins you should be able to run your application and see what is detected and how you may want to document how your customer should exclude it.

For example,  you can create a global exclusion:
https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ScanningExclusions.html

• Detected Exploits (Windows and Mac)

This method sends down a thumbprint to the endpoint to whitelist the detection based on the client making the detection.

There is also file path as per:
https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html

for more pro-active exclusions but then this excludes the process from all mitigations which maybe more than you would want to recommend as the thumbprint is more specific.

It's a little more involved than say typical process/file exclusions for on-access/demand AV scanning where an exclusion is more generic.

I think it's worth seeing how your application behaves when exploit mitigation is running as different types of applications have different mitigations applied to them. So depending on the process being injected into you might get different mitigation alerts.

Hope it helps.

Regards,
Jak

Thanks for your input.  The customer informed me that they are not using Sophos, after all.

Here are the links I found, in case someone has the same problem.

https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/Server-Application-Whitelisting-wpna.pdf

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ScanningExclusions.html

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/references/ExclusionVariablesWindows.html

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html

Pete