PCE Client software triggers an alert on computers with Sophos Anti-Virus HIPS

Article Details
URL: http://support.forensicsoftware.co.uk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=79
Article ID: 79
Created On: 4 Mar 2010 2:25 PM

Answer PCE Client software triggers an alert on computers with Sophos Anti-Virus HIPS (Host Intrustion Prevention Program) active.

Problem - The presence of PCE client software on a computer where Sophos Anti-Virus software is installed triggers an alert from the HIPS feature of Sophos that denies PCE client executables the ability to start.

A window similar to that shown below will be displayed at the client.

Solution

HIPS (Host Intrusion Prevention Program) is specifically designed to examine the behaviour of files and processes running on the computer to identify any potential threats from malware or similar types of programs. The nature of PCE client sotware is such that it is often identified as this form of software and so is summarily blocked from working.

More details on the HIPS feature of Sophos is available from this link.

The solution to this problem is to configure Sophos HIPS to allow the executables that relate to PCE client software to run. Sophos will then ignore these files if they are detected and PCE client can function normally..

Using Authorization Manager

In a un-managed Sophos environment, this is performed from the 'Authorization Manager' dialog accessed from with the local Sophos Anti-Virus Console. An example of this is shown below.

Add the following programs to the list of authorised applications.

Pcclient.exe
Extract.exe or Extrac32.exe or Extrac.exe
SysServer.exe
SysMonP32.exe
PKunzip.exe

Use the 'Add' button to add detected files or the 'New Entry' button at the bottom of the screen (not shown) to enter file names via the keyboard.

Using Enterprise Console

In a managed Sophos environment, these settings can be deployed to all Sophos clients using the 'Enterprise Console' or 'NAC Manager' programs that were used to intially configure and manage Sophos clients. An example of using the Enterprise Console is shown below.

Sophos client settings are set within profiles that are in turn applied to groups of client computers.

Right-click the applicable Anti-Virus and HIPS policy and choose 'view/edit policy' from the menu.

Select the 'Authorization' button to display the dialog below.

Select the 'Suspicious Behaviour' tab and scroll through the list of known applications. The PCE file that generated the alert will be listed (usually PCCLIENT.EXE). Use the 'Add' button to add it to the list.

You can also use the 'New Entry' button to add PCE client filenames which may cause a similar alert in the future:

Pcclient.exe
Extract.exe or Extrac32.exe or Extrac.exe
SysServer.exe
SysMonP32.exe
FSLTool.exe
PKunzip.exe

Select 'OK' to confirm these additions. Select 'OK' to return to the main screen.

Right-click on groups of computers to refresh their settings based on this policy. More details on usage is available from your Sophos documentation or the Sophos website.