HitmanPro.Alert 3.6.9 Causes Exploit Detection Non Compliance

Have any of you seen a spike in Policy Violations from the computers that have the Non Compliance alerts?

We are up to 15,000 violations. Sophos tech support said there's no correlation from the Non Compliance alerts and the spike in Policy violations. None of the end-users are reporting any notifications about sites being blocked it all seems to happening in the background. They told me I shouldn't worry and that the end users are "probably" visiting the blocked sites, I told them that they are not.   It seems to me that Sophos doesn't really know what's going on. I worry that we might have an infection spreading, even though they said not to worry. I hope its a false positive.

I have a Case open about this right now and today they sent me a KB about it:

https://community.sophos.com/kb/en-us/127733

They updated the KB with an estimated fix date of 11/17

Thanks Dustin Garden! for the update.

On Wednesday I noticed that an update come though updating the version of the The Core agent/Endpoint Advanced from 11.5.6 to 11.5.9 around 12:00PM.  We are still getting the error in the Event logs of all our systems but at least Alerts are not regenerating creating 100's and 100's of alerts in the console over and over for the same systems.

-Graham

From the KB:

"We are aware of the disruption this can cause for customers who have affected endpoints, we have now identified the cause of the issue for Central Customers and are testing the fix in our own environment before release. Sophos expects all Central customers to have the update by the 17th November 2017"

So you at least have an ETA on the fix. Now I'm wondering what to tell my SEC customers:

"The same issue exists for SEC managed endpoints but addressing that issue is more complicated. We are targeting a release to SEC managed endpoints in Q1 2018."

I'm really not a happy camper right now. Sophos QA is leaving much to be desired lately...

Regards,

Giovani

Also note that this update also now reports not just non compliance it now tags some applications as an exploit (MS Power Query Excel Add-in) and then crashes Excel. Sophos Answer to that so far is to Join the Early Access Program and add computers to that and see if the problem goes away. 

That worked when we tried it, but the EAP has issues with Office 2016 and Office 365, which killed our production.  Originally we had 25-30 computers in EAP, but it caused far, far more issues than it solved.  Be forewarned.

thanks for the warning

Jon,

Can you provide more detail on the issues you saw with Office 2016 and Office 365 so we can be on the lookout when the next update comes out?

Thanks

Sophos said they were known issues.

Office 2016 -- all of a sudden no Office programs would open and it would tell you to repair Office.  Neither repair option (quick and online, I think?) would succeed either.  I removed everything from MSConfig, rebooted, and then Office would load.  I added MSConfig options back bit by bit a(rebooting in between), but once Sophos was added back, office would no longer work.  This happened on multiple boxes.  Taking the boxes out of EAP, uninstalling Sophos, and reinstalling Sophos (non EAP) fixed the issue permanently.

Office 365 -- random Office programs would stop working with error "The operating system is not presently configured to run this application" (our support staff saw this issue multiple times).  Remove from EAP, uninstall Sophos, reinstall Sophos and they're fixed.

After these issues, we got the hell out of EAP.