This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safe Browsing detected browser Internet Explorer has been compromised

Reposting here as the previous thread in the Intercept X channel has received no traction at all. Sophos Support has been no help in resolving this. What's the fix?

Here's the old thread:

https://community.sophos.com/products/intercept/f/information/82618/safe-browsing-detected-browser-internet-explorer-has-been-compromised#pi2151=2

Also, I can't multi-select the Alerts in Sophos Central to clear them all. I really have to check every single box all the way down the list to clear each one?

This thread was automatically locked due to age.

Parents

0 jak over 7 years ago
Hi,

I had a quick look through the other thread to find the event log information. I think this is it:

https://pastebin.com/ZbDRf5pd

In which case I see reference to the DLL RapportGH.dll. Do you have Trusteer Raport on these clients? If so this article:

https://community.sophos.com/kb/en-us/124988#Trusteer

Trusteer Rapport is incompatible with Sophos Intercept X / Exploit Prevention

Due to potential conflicts we do not recommend running Intercept X / Exploit Prevention and Trusteer Rapport on the same computer. In situations where you have a requirement to run both products you will need to disable the following Policy setting:

Protect critical functions in web browsers (Safe Browsing)

Would suggest disabling monitoring for this mitigation or I guess removing Raport. Do you know these to help?

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 plochner over 7 years ago in reply to jak

Well, we need to have both on the workstations. We can't get into online banking without using Trusteer Rapport - it's a requirement from the bank to cut down on fraud, plain and simple, and it works.

We can't disable the browser based protection that Sophos allows. That will leave the users unprotected from the stuff Intercept X protects us against for the 75% of their day that the users are not using Trusteer for online banking.

So there's no solution to this. Trusteer Rapport is not going away anytime soon, and is used by a huge amount of business banks:

www.trusteer.com/.../rapport-installation-links

This in my opinion is not a Trusteer problem, it's a Sophos Central problem. They have to give us a way to make exceptions for DLLs. Our previous Sophos Endpoint Protection server-based product worked fine with Trusteer Rapport and provided browser based protection as well.

Now, failing that, this is definitely a Sophos Central problem - why isn't there a "check all" option in that list of alerts? It would be nice to be able to Select All and then acknowledge and clear all those alerts when they pop up.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 plochner over 7 years ago in reply to jak

Well, we need to have both on the workstations. We can't get into online banking without using Trusteer Rapport - it's a requirement from the bank to cut down on fraud, plain and simple, and it works.

We can't disable the browser based protection that Sophos allows. That will leave the users unprotected from the stuff Intercept X protects us against for the 75% of their day that the users are not using Trusteer for online banking.

So there's no solution to this. Trusteer Rapport is not going away anytime soon, and is used by a huge amount of business banks:

www.trusteer.com/.../rapport-installation-links

This in my opinion is not a Trusteer problem, it's a Sophos Central problem. They have to give us a way to make exceptions for DLLs. Our previous Sophos Endpoint Protection server-based product worked fine with Trusteer Rapport and provided browser based protection as well.

Now, failing that, this is definitely a Sophos Central problem - why isn't there a "check all" option in that list of alerts? It would be nice to be able to Select All and then acknowledge and clear all those alerts when they pop up.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jak over 7 years ago in reply to plochner

Hi,

Is the thumbprint in the event log different for each of these detection? Before it was:

5766f23574c441cd17770a583ce91d97c0c49e7e3b2588eb3d4c57d2b959c6d8

As for the multi-select, as a potential client side hack. If you create a new bookmark in the browser (call it 'SelectAll' for example) and set the URL to the following (all one line):

https://pastebin.com/ecvLFnAG

Edit: I did try pasting the Javascript inline here but it changed a number of characters.

When on the page, if you click that bookmark, that should check all checkboxes. You might have to toggle one to get the action button to show but does that work? I don't have a number of these alerts to test.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 dan@ over 6 years ago in reply to plochner

jak what did you guys end up doing? seeing this now with win10 and ie11
Cancel
Vote Up 0 Vote Down

Cancel
0 Barb@Sophos over 6 years ago in reply to dan@

Hi dan@,

Unfortunately, as listed in this article, Trusteer Rapport is incompatible with Sophos Intercept X / Exploit Prevention

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 dan@ over 6 years ago in reply to Barb@Sophos

Hi Barb, we're seeing this behavior on lots of our workstations. One *had* trusteer for bank access but it's since been removed and we're still getting the errors.

Thanks,

Dan
Cancel
Vote Up 0 Vote Down

Cancel

Safe Browsing detected browser Internet Explorer has been compromised

Trusteer Rapport is incompatible with Sophos Intercept X / Exploit Prevention