Turn blocking of modified processes on or off

Sophos Endpoint Security and Control

Turn blocking of modified processes on or off

Note: This option is not available in Windows 8 as it is handled automatically by the Sophos Anti-Virus HIPS technology.

Malware may attempt to evade the firewall by modifying a process in memory that has been initiated by a trusted program, and then using the modified process to access the network on its behalf.

You can configure the firewall to detect and block processes that have been modified in memory.

To turn blocking of modified processes on or off:

  1. On the Home page, under Firewall, click Configure firewall.

    For information about the Home page, see About the Home page.

  2. Under Configurations, click Configure next to the location that you want to configure.
  3. On the General tab, under Blocking, clear the Block processes if memory is modified by another application (32-bit operating systems only) check box to turn blocking of modified processes off.

    To turn blocking of modified processes on, select the check box.

If the firewall detects that a process has been modified in memory, it adds rules to prevent the modified process from accessing the network.

Notes

  • We do not recommend that you turn blocking of modified processes off permanently. You should turn it off only when you need to.
  • Blocking of modified processes is not supported on 64-bit versions of Windows.
  • Only the modified process is blocked. The modifying program is not blocked from accessing the network.