Environment
App Control Agent: All Supported Versions
Symptoms
- The Sophos auto update process fails
- Tamper Protection block events seen in the console:
Modification (Create Key) of registry '\\?\globalroot\registry\machine\software\classes\installer\products\95e4d2f9825022b46b466a0b8b4b28ee\' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection
Modification (Create Key) of registry '\\?\globalroot\registry\machine\software\classes\installer\products\752723c1d0e4cea42903e4a1a2d7405a\' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection
Cause
- The Sophos installer is using the "RegCreateKey" operation to access all Installer Product Keys located in "HKEY_CLASSES_ROOT\Installer\Products"
- This triggers the App Control agent's tamper protection rules which work as designed
- This would also raise security events with any other application that has built-in self protection
- Procmon capture verifying the findings:
Resolution
Please open a Support case with Sophos and request a modified installer that doesn't use "RegCreateKey" operation when accessing the Product Keys located in "HKEY_CLASSES_ROOT\Installer\Products"
*** Update: Sophos has at least one bug opened for this issue tracked as WINEP-37499 ***
Additional Notes
As a temporary workaround you can disable individual agent's tamper protection from the Computer Details page or globally on all agents from the "Support.php" page.
*** Please note that disabling tamper protection on an agent will leave it unprotected and open for manipulation ***
Once the Sophos update is complete, Tamper Protection should be re-enabled.
List of the App Control product and package GUIDs can be found here:
App Control: Product Version GUIDs