This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

'Lockdown' exploit not listed in Add exclusion

We had some lockdown come through listed in the threat analysis center but when I search to exclude it in the global exclusion I can't find the exploit, looking at events for the device it only says 'Nothing found to clean up' with no details

Could anybody explain why I can't seem to exclude the below exploit

This was shown on the event viewer from the device

Mitigation Lockdown
Timestamp 2020-08-05T13:56:33

Platform 10.0.18363/x64 v321 06_9e-
PID 9384
Application C:\Program Files (x86)\Java\jre1.8.0_231\bin\javaw.exe
Created 2020-04-15T15:22:50
Modified 2020-04-15T15:22:50
Description Java(TM) Platform SE binary 8

Filename C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\jacob.jar;C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\ucf-ca-office-auto.jar;C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\ucf-client-api.jar;C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\ucf-client-impl.jar

Process Trace
1 C:\Program Files (x86)\Java\jre1.8.0_231\bin\javaw.exe [9384]
"C:\Program Files (x86)\Java\jre1.8.0_231\bin\javaw.exe" -classpath C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\jacob.jar;C:\Users\****\Documentum\ucf\WKS-010630\shared\bin\7.2.0000.0035a\ucf-ca-office-auto.jar;C:\Users\****\Doc
2 C:\Program Files (x86)\Java\jre1.8.0_231\bin\jp2launcher.exe [16084]
"C:\Program Files (x86)\Java\jre1.8.0_231\bin\jp2launcher.exe" -secure -plugin -jre "C:\Program Files (x86)\Java\jre1.8.0_231" -vma LURfX2p2bV9sYXVuY2hlZD0yNTAxMzY0NTQyOAAtRF9fYXBwbGV0X2xhdW5jaGVkPTI1MDEzNjMyMjE5AC1Ec3VuLmF3dC53YXJtdXA9dHJ1ZQAtRGphdmEuc2Vj
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [8592]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6912 CREDAT:82946 /prefetch:2
4 C:\Program Files\Internet Explorer\iexplore.exe [6912]
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
5 C:\Windows\System32\svchost.exe [656]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
6 C:\Windows\System32\services.exe [916]
7 C:\Windows\System32\wininit.exe [844]
wininit.exe
8 C:\Windows\System32\smss.exe [732]
\SystemRoot\System32\smss.exe 000000a8 00000084

Thumbprint
873c7e5c6239cc2ff43f168f4d8810fac590ee86a893432c7dbfc21ab6dc91dd

This thread was automatically locked due to age.

0 Shweta over 4 years ago

Hi Darren Tse

Is the thumbprint value same in the detection occurred or it is constantly changing? Please check this article for more details about the lockdown detection you are seeing.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Darren Tse over 4 years ago in reply to Shweta

Hi

The thumbprint does stay the same but i can't seem to exclude it, it doesn't list it under 'Detected Exploits (Windows/Mac)' list, and when i click on the event for the devices which the lockdown is coming from, there is no 'details' about the lockdown.

Is there a way to manually exclude the thumpbrint by entering it instead of selecting it from a list.

Darren
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago in reply to Darren Tse

Hi Darren Tse

We do not recommend to create exclusion without the detection listed under exploits. Could you please try the hotfix mentioned in this article and check if you are still seeing the issue?

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel