This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A problem occurred when our devices received the latest update

Every time I opened MS Access 2003, the app crashes with KERNELBASE.dll as the fault module, but when I uninstalled sophos I can open my MS Access files. Here are the further details:

Problem Event Name: APPCRASH
Application Name: MSACCESS.EXE
Application Version: 11.0.5614.0
Application Timestamp: 3f3c8e3c
Fault Module Name: KERNELBASE.dll
Fault Module Version: 6.1.7601.24545
Fault Module Timestamp: 5e0eb7d0
Exception Code: e06d7363
Exception Offset: 0000845d
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
LCID: 1033
Brand: Office11Crash
skulcid: 1033

Read our privacy statement online:
go.microsoft.com/.../

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt



This thread was automatically locked due to age.
  • Hello Point7,

    Thank you for reaching out to the Sophos Community. 

    Do you know if exclusions have been added for the process "MSACCESS.exe"? 

    As an initial step, I recommend adding this as a "Process exclusion", as well as an "Exploit Mitigation Exclusion". 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Confirmed in my org also....strange that I even disabled tamper protection and disabled EVERYTHING in the settings section and still no ability to open these databases. (Note: It does work in full Access 03' with file/open and going right to the .mdb but that ain't an answer.)  Something else has happened...

  • Also nothing short of uninstalling Sophos works to resolve the issue.  Shutting off all sophos services/real time scanning/etc. doesn't help at all.  Even worse, Sophos itself doesn't even log the blockage and there is no record of it anywhere that i've seen.  However, if uninstalling Sophos fixes it, and installing it breaks it, it's definitely sophos.

  • Thank you for sharing these details. To take things a step further, I'd recommend isolating the drivers on the device if previous troubleshooting has yielded no better results. I recommend only performing one of the following isolations at a time. 

    HMPA Isolation:
    a) Access the Services and stop then disable the following service:HitmanPro.Alert service
    b) Access the following folder: C:\Windows\System32\
    c) Rename hmpalert.dll to hmpalert.orig
    d) Access the following folder: C:\Windows\SysWOW64\
    e) Rename hmpalert.dll to hmpalert.orig
    f) Reboot the device

    SAV Isolation:
    a) Access the Services and stop then disable the following service: Sophos Anti-Virus 
    b) Reboot the device

    Sophos Endpoint Defense Isolation:
    a) Access the following folder: C:\Windows\System32\drivers\
    b) Rename SophosED.sys to SophosED.sys.orig
    c) Reboot the device

    If you find that Intercept X/HitmanPro is the culprit, I recommend trying out the cumulative hotfix for Intercept X.

    If the hotfix package does not help, or if you find the issue to be with either of the other components, it would be best to gather a "Procdump" of the application crash. The command you will want to run is as follows.

    procdump.exe -ma -i 

    This will set Procdump.exe as the default debugger so that any app crashes will generate a dump file. Once you have the dump file, I'd recommend opening a support case so our team can take a closer look into things. 

    Thank you,

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I have the same problem. Temporary uninstaled sophos from 10 workplaces.

  • Same for us. Access 2003 database causes the exact application error above.
    The isolations (HMP, SAV, ED) given above did not resolve the problem, even with all three disabled at once.
    We used procdump as recommended, but though our user of our Access database continued to throw the error above in the event viewer Application log, procdump generated no dumpfile for us.

    We tried exceptions on the database file location and on MSACCESS.EXE itself, no success there.

    Uninstalling Sophos, we instantly can use Access 2003.

    I am opening a support case.

  • None of the fixes work.  The software doesn't even log itself as the problem, but it is in fact the problem.  

  • My fix for now is to move people to Access 2010 runtime.  Seems to be ok so far. 

  • Hi, have you received some suggestions from support, about this problem ?

  • From the dump I saw reproducing this with Office 2003, the issue is with the Office 2003 version only. Access 2010 opening the same file is fine.

    The following Sophos DLL: "sophosofficeav.dll" is loaded into a process such as MSAccess.exe as a result of Sophos using the IOfficeAntiVirus interface to get a call back for download reputation scanning.

    32-bit processes load: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll"

    64-bit processes load "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x64\sophosofficeav.dll"

    I assume the MSAccess.exe you are using is 32-bit given the age.

    The Scan method IOfficeAntiVirus::Scan method (Windows) | Microsoft Docs in the DLL is passed a MSOAVINFO structure. When passed on 2003 the szOrigURL value of this structure is garbage. MSOAVINFO structure (Windows) | Microsoft Docs which leads to an access violation.

    Sophos said they can workaround this in the DLL but I guess you can disable Tamper and rename "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll". Next time MSAccess.exe launches, the DLL will not be pulled in.