My Account |  Site Map | Contact Us  
Welcome Guest Search | Active Topics | Sign In | Register

EOWP.exe - "DynamicShellCode exploit" caught by Sophos Options
Posted: Monday, February 22, 2021 2:58:15 PM
Rank: Advanced Member
Groups: Member

Joined: 7/14/2014
Posts: 50

Not sure this is the right section of the forum, if so feel free to move this topic elsewhere.

At my workplace, we use Sophos Endpoint Protection Intercept X Advanced to protect our computers from viruses, malwares, etc. The issue is that ever since we updated to the 21.X release of EssentialObjects, the EOWP.exe executable keeps getting caught by the antivirus, and it says "'DynamicShellcode' exploit prevented in Essential Objects Worker Process".

For context, we set EO.Base.Runtime.EnableEOWP to true, and we don't package EOWP.exe in our application, so it gets created dynamically. This used to work fine prior to updating to version 21.X of EO, so I'm wondering if anything big changed between 20.X and 21.X in regards to EOWP.exe.

If there is any further information I can provide, please let me know.

Best regards.
Posted: Tuesday, February 23, 2021 2:30:22 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,713

There isn't anything structurally changed between version 20.x and 21.x. They are just minor code changes. We did switch to a new EV code signing certificate, which supposes to more "trustworthy".

Obviously this is a false alarm since eowp.exe is not malware. It does dynamically load code on the fly as eowp.exe is to used to load and run the native browser engine, however the actual browser engine code is compressed and packed inside EO.WebEngine.dll. This could be what triggered the alarm. However the mechanism itself has not changed between v20.x and v21.x.

You may want to contact Sophos to see if they can whitelist eowp.exe on their end, or if you can whitelist it in your organization (most likely based on our code signing certificate). Obviously we have no way of silencing them from our end since if such a method exist then all the malware would use it and it would render their product useless. So it must be done on their end.

Posted: Wednesday, February 24, 2021 7:44:29 AM
Rank: Advanced Member
Groups: Member

Joined: 7/14/2014
Posts: 50
Thanks for the information and the quick reply. We've scheduled a call with Sophos to figure out what best practice would be regarding this. I figured not much would have changed with EOWP and it would be only fixable on the Sophos side, but it's good to have confirmation.

Best regards.

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.