Safe Browsing detected browser Internet Explorer has been compromised

Hi,

I had a quick look through the other thread to find the event log information.  I think this is it:

https://pastebin.com/ZbDRf5pd

In which case I see reference to the DLL RapportGH.dll.  Do you have Trusteer Raport on these clients?  If so this article:

https://community.sophos.com/kb/en-us/124988#Trusteer

Trusteer Rapport is incompatible with Sophos Intercept X / Exploit Prevention

Due to potential conflicts we do not recommend running Intercept X / Exploit Prevention and Trusteer Rapport on the same computer. In situations where you have a requirement to run both products you will need to disable the following Policy setting:

• Protect critical functions in web browsers (Safe Browsing)

Would suggest disabling monitoring for this mitigation or I guess removing Raport.  Do you know these to help?

Regards,

Jak

Well, we need to have both on the workstations. We can't get into online banking without using Trusteer Rapport - it's a requirement from the bank to cut down on fraud, plain and simple, and it works.

We can't disable the browser based protection that Sophos allows. That will leave the users unprotected from the stuff Intercept X protects us against for the 75% of their day that the users are not using Trusteer for online banking.

So there's no solution to this. Trusteer Rapport is not going away anytime soon, and is used by a huge amount of business banks:

www.trusteer.com/.../rapport-installation-links

This in my opinion is not a Trusteer problem, it's a Sophos Central problem. They have to give us a way to make exceptions for DLLs. Our previous Sophos Endpoint Protection server-based product worked fine with Trusteer Rapport and provided browser based protection as well.

Now, failing that, this is definitely a Sophos Central problem - why isn't there a "check all" option in that list of alerts? It would be nice to be able to Select All and then acknowledge and clear all those alerts when they pop up.

Hi,

Is the thumbprint in the event log different for each of these detection? Before it was:

5766f23574c441cd17770a583ce91d97c0c49e7e3b2588eb3d4c57d2b959c6d8

As for the multi-select, as a potential client side hack. If you create a new bookmark in the browser (call it 'SelectAll' for example) and set the URL to the following (all one line):

https://pastebin.com/ecvLFnAG

Edit: I did try pasting the Javascript inline here but it changed a number of characters.

When on the page, if you click that bookmark, that should check all checkboxes.  You might have to toggle one to get the action button to show but does that work? I don't have a number of these alerts to test.

Regards,

Jak

jak what did you guys end up doing? seeing this now with win10 and ie11

Hi dan@,

Unfortunately, as listed in this article, Trusteer Rapport is incompatible with Sophos Intercept X / Exploit Prevention

Hi Barb, we're seeing this behavior on lots of our workstations.  One *had* trusteer for bank access but it's since been removed and we're still getting the errors.

Thanks,

Dan