Turn blocking of modified processes on or off

If you use role-based administration:

  • You must have the Policy setting - firewall right to configure a firewall policy.
  • You cannot edit a policy if it is applied outside your active sub-estate.

For more information, see Managing roles and sub-estates.

Malware may attempt to evade the firewall by modifying a process in memory that has been initiated by a trusted program, and then using the modified process to access the network on its behalf.

You can configure the firewall to detect and block processes that have been modified in memory.

To turn blocking of modified processes on or off:

  1. Double-click the firewall policy you want to change.
  2. On the Welcome page of the Firewall Policy wizard, click Advanced firewall policy.
  3. Under Configurations, click Configure next to the location for which you want to configure the firewall.
  4. On the General tab, under Blocking, clear the Block processes if memory is modified by another application check box to turn blocking of modified processes off.

    To turn blocking of modified processes on, select the check box.

If the firewall detects that a process has been modified in memory, it adds rules to prevent the modified process from accessing the network.


  • We do not recommend that you turn blocking of modified processes off permanently. You should turn it off only when you need to.
  • Blocking of modified processes is not supported on 64-bit versions of Windows and on Windows 8 and later. On Windows 8 and later it is handled automatically by the Sophos Anti-Virus HIPS technology.
  • Only the modified process is blocked. The modifying program is not blocked from accessing the network.