We have had reports of FireDaemon Pro, Zero and Fusion software products being blocked and stopped from being able to run by Sophos EndPoint Protection. Sophos EndPoint Protection is blocking execution and reporting an event labelled "DynamicShellcode exploit prevented". This is also being logged as "HeapHeapProtect" in the Sophos Cloud Analysis Center. This started occurring from mid-January 2021 when Sophos enabled Dynamic Shellcode Protection by default in their Intercept X product which is included in Sophos EndPoint Protection produc.


This is a false positive. We have submitted the latest builds of FireDaemon Pro 4.5 to Sophos for analysis and no malicious code was found in the installer or software product itself. The root cause of this issue is possibly a flaw in Sopho's recently released Dynamic Shellcode Protection feature and affects users of Sophos EndPoint Protection running Server Core Agent 2.15.4 or later.


To temporarily resolve this issue you can disable "Malicious Behaviour Detection" in the Sophos EndPoint Agent on your workstation or server. You will need to log in to the Sophos EndPoint Agent as Admin with your Tamper Protection Password (available via Sophos Central):



Alternately, create an EndPoint Protection Policy via Sophos Central for the workstations or servers running FireDaemon Pro and disable "Dynamic Shellcode Protection". To do this Create a new Threat Protection Policy per the screenshot below:



Then assign computers to that policy and click Settings:



In the policy settings disable "Dynamic shellcode protection" then save the policy. The policy should be applied to the Assigned Computers in the Endpoint Protection Policy immediately.


You should now be able to run FireDaemon Pro successfully:



Lastly, please report the incident to Sophos directly and submit a ticket for assistance. The method above clearly disables all Dynamic shellcode protection on the workstations and servers included in the Threat Protection Policy and may not be an ideal solution long term.