• The Sophos auto update process fails
• Tamper Protection block events seen in the console:

Modification (Create Key) of registry '\\?\globalroot\registry\machine\software\classes\installer\products\95e4d2f9825022b46b466a0b8b4b28ee\' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection
Modification (Create Key) of registry '\\?\globalroot\registry\machine\software\classes\installer\products\752723c1d0e4cea42903e4a1a2d7405a\' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection

 

App Control Agent: All Supported Versions

• The Sophos installer is using the "RegCreateKey" operation to access all Installer Product Keys located in "HKEY_CLASSES_ROOT\Installer\Products"
• This triggers the App Control agent's tamper protection rules which work as designed
• This would also raise security events with any other application that has built-in self protection
• Procmon capture verifying the findings:

Please open a Support case with Sophos and request a modified installer that doesn't use "RegCreateKey" operation when accessing the Product Keys located in "HKEY_CLASSES_ROOT\Installer\Products"
*** Update: Sophos has at least one bug opened for this issue tracked as WINEP-37499 ***

As a temporary workaround you can disable individual agent's tamper protection from the Computer Details page or globally on all agents from the "Support.php" page.
*** Please note that disabling tamper protection on an agent will leave it unprotected and open for manipulation ***
Once the Sophos update is complete, Tamper Protection should be re-enabled.

List of the App Control product and package GUIDs can be found here:
https://community.carbonblack.com/t5/Knowledge-Base/App-Control-Product-Version-GUIDs/ta-p/64830