Sophos Client Firewall: 'Memory Modified' reported as the reason for blocking an application
Issue
An application is blocked by Sophos Client Firewall with the message ‘Modified Memory’.
Sophos product and version
Sophos Client Firewall
Operating system
Windows 2000 Professional
Windows XP
Technical information
By default the Sophos Client Firewall will block all applications that attempt to modify another process' memory space when making connections.
In order to allow an application of this sort, the global option needs to be turned off. However, this is NOT recommended, as you will not be detecting and blocking processes which have been modified in memory. A virus will often aim to change a process once it is running, so that it can circumvent traditional anti-virus scanning techniques, which scan the executable file before it is loaded into memory.
You cannot configure the firewall to exclude specific applications from this type of scanning.
What to do
- In the system tray, right-click on the Sophos Client Firewall icon and select View Log.
- Open the Processes folder.
- Check the most recently blocked application, or a time that correlates with the last time the blocked application ran.
- The 'Event' column should state 'Memory Modified'. If this is the case, close the Log.
- In the system tray, right-click on the Sophos Client Firewall icon and select Configure.
- Deselect the option ‘Block processes if memory is modified by another application’.
If you need more information or guidance, then please contact technical support.
- Article ID: 29248
- Created: 6 Sep 2007
- Last updated: 14 Oct 2008
