Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 7737 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lockdown preventing valid application from running

Ken Etter

I have an application that was updated and now Sophos is blocking it from running.  In the Win10 Event Viewer, HitmanPro.Alert Events, I see Mitigation: Lockdown on application javaw.exe.  The actual application is a java app that is called from a web browser.  If I remove Sophos from the PC, it works perfectly.  I have tried a mix of global exclusions and local policy exclusions and nothing appears to have any affect on the computer.

If I look in the Threat Analysis Center, the processes listed are chrome.exe, zcchelper.exe, and javaw.exe.  But file exceptions for zcchelper.exe and javaw.exe don't help.

Any suggestions for fixing this?  At this point, I am planning to remove Sophos from my Management PC so I can do my job.  I've been running Sophos AV for ages and this is the first time I have ever had it prevent me from actually doing legitimate work.  It is a bit frustrating.

Thanks in advance for any help.
Ken



This thread was automatically locked due to age.
Parents
  • +1

    Hi Ken,

    If a Java app is being called from a web browser I suspect the feature may be working as expected.

    In terms of creating an exclusion, a file/folder exclusion will not work as this type of exclusion is for Anti-virus while Intercept X is causing the block.

    If you check Event Viewer again and review these Event ID 911's, are the thumbprints at the bottom changing?  If not a simple exclude from the endpoint's events in Sophos Central should do the trick (Detected Exploits exclusion.)

    If the thumbprint is constantly changing we would have to create a more general exclusion.  Clone your Threat Protection policy and apply it only to you, then either disable "Protect Java applications" under "Mitigate exploits in vulnerable applications".  The other option is to create a global Exploit Mitigation exclusion for Java but this would be for your entire company.

  • 0 in reply to MEric

    The event only gets listed in Sophos Central as "Nothing found to clean up".  And it does not provide a link or method to make an exclusion for this event.

    I was able to do your second option and disable "Protect Java applications".  That appears to be working although I would have preferred the first option.

    I'll do some more digging tomorrow and see if I can find a way to go with the more specific exclusion.

    Thanks!

Reply
  • 0 in reply to MEric

    The event only gets listed in Sophos Central as "Nothing found to clean up".  And it does not provide a link or method to make an exclusion for this event.

    I was able to do your second option and disable "Protect Java applications".  That appears to be working although I would have preferred the first option.

    I'll do some more digging tomorrow and see if I can find a way to go with the more specific exclusion.

    Thanks!

Children
No Data
Unfiltered HTML