The "Malicious Behavior Detection" Feature of Sophos Endpoint Agent* is causing random process crashes when 0patch Agent is installed - even if 0patch is disabled.
Some frequently affected processes are Adobe Reader's AcroCEF.exe, msedgewebview2.exe and WerFault.exe.
Currently, the only workaround is to disable "Malicious Behavior Detection" in Sophos Central:
- Login to Sophos Central
- Edit the Threat Protection Policy used by computer(s) using 0patch
- Disable the "Detect malicious behavior" feature in the policy
- Save the policy
If you want to test this workaround locally on one computer before modifying the policy, you can do the following:
- Launch the Sophos Endpoint Agent on the affected computer
- Under Settings -> Runtime Protection, disable the "Detect malicious behavior" feature
- Launch the application that was crashing and confirm it is no longer crashing.
Warning: Local Sophos Endpoint Agent policy overrides stay in effect 4 hours and are then automatically reverted to the Sophos Central policy. If the test confirms the cause, make sure to disable the feature in Sophos Central as well.
(* We reproduced this with Sophos Core Agent version 2025.2.1.709.0)
Comments
0 comments
Please sign in to leave a comment.