Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3178 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HIPS killing process of executable

ScottBentley

Hello,

Please forgive my ignorance in advance.  I'm the backup to the backup to the backup of our orgs Sophos Admin.  We are using ECM 4.0 and Endpoint Security and Control v9.0.  Sophos isn't allowing our clients to install a database program.  Below is the error -


20100802 180438    Process "c:\Users\Scott.Bentley\AppData\Local\Temp\mia9774.tmp\setuptntmpd.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-001'.
        Process killed.

On my client, I changed my HIPS runtime behaviour analysis to "alert only".  I didn't get an alert, but it did end up installing the software this time.  We've added this .exe to the ECM's multiple exclusion lists.  It continues to kill the installation each time it's a fresh install or the program attempts to update to a new version.  The updates aren't mandatory, scheduled or pushed, or else we would disable HIPS temporarily from the server, then enable it after it's done.  Suggestions or what further info is needed?  Thanks.

:4346


This thread was automatically locked due to age.
Parents
  • 0

    Hello backup squared :smileywink:,

    of course an authorized program (as opposed to a scanning exclusion) is not only identified by name. Both the alert in SEC and the executable's tooltip in the Authorization ... window contain version and checksum information. Guess you see more than one instance of setuptntmpd.exe. Let's say that it's sub-optimal installation technique.

    I hope you do know when the installer changes (although I'm aware there are still products which do it "their smart way" and expect that everything else submits to their behaviour). If so then just run the installer on a test computer and authorize the current version using SEC. And - AFAIK it makes a difference whether an executable is signed or not.

    HTH

    Christian

    :4352
Reply
  • 0

    Hello backup squared :smileywink:,

    of course an authorized program (as opposed to a scanning exclusion) is not only identified by name. Both the alert in SEC and the executable's tooltip in the Authorization ... window contain version and checksum information. Guess you see more than one instance of setuptntmpd.exe. Let's say that it's sub-optimal installation technique.

    I hope you do know when the installer changes (although I'm aware there are still products which do it "their smart way" and expect that everything else submits to their behaviour). If so then just run the installer on a test computer and authorize the current version using SEC. And - AFAIK it makes a difference whether an executable is signed or not.

    HTH

    Christian

    :4352
Children
No Data