This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A problem occurred when our devices received the latest update

Every time I opened MS Access 2003, the app crashes with KERNELBASE.dll as the fault module, but when I uninstalled sophos I can open my MS Access files. Here are the further details:

Problem Event Name: APPCRASH
Application Name: MSACCESS.EXE
Application Version: 11.0.5614.0
Application Timestamp: 3f3c8e3c
Fault Module Name: KERNELBASE.dll
Fault Module Version: 6.1.7601.24545
Fault Module Timestamp: 5e0eb7d0
Exception Code: e06d7363
Exception Offset: 0000845d
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
LCID: 1033
Brand: Office11Crash
skulcid: 1033

Read our privacy statement online:
go.microsoft.com/.../

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt



This thread was automatically locked due to age.
Parents Reply Children
  • From the dump I saw reproducing this with Office 2003, the issue is with the Office 2003 version only. Access 2010 opening the same file is fine.

    The following Sophos DLL: "sophosofficeav.dll" is loaded into a process such as MSAccess.exe as a result of Sophos using the IOfficeAntiVirus interface to get a call back for download reputation scanning.

    32-bit processes load: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll"

    64-bit processes load "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x64\sophosofficeav.dll"

    I assume the MSAccess.exe you are using is 32-bit given the age.

    The Scan method IOfficeAntiVirus::Scan method (Windows) | Microsoft Docs in the DLL is passed a MSOAVINFO structure. When passed on 2003 the szOrigURL value of this structure is garbage. MSOAVINFO structure (Windows) | Microsoft Docs which leads to an access violation.

    Sophos said they can workaround this in the DLL but I guess you can disable Tamper and rename "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll". Next time MSAccess.exe launches, the DLL will not be pulled in. 

  • Many Thanks user930 for your suggestions.

    Renaming "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll" works fine, but temporary solution. I don't know exactly what does it means for sophos client operation, but I presume not so well.

    Have a nice day

  • WINEP-38613 is in Core Agent 2.20.11

    Sophos Network Threat Protection updated to version 1.15.835.

    WINEP-38613

    Sophos Network Threat Protection Resolved an issue where sophosofficeav.dll produced an access violation when managing Microsoft Office documents.

    See "Sophos Core Agent" under: https://docs.sophos.com/releasenotes/index.html?productGroup 

  • It is used for Download reputation, i.e. the browser downloads a file, this interfaces allows browsers for example to request a scan following download before the file is made available to the user. Sophos uses is for the Download reputation box you see if a file is of low reputation following a download.  You can test it here: https://sophostest.com/reputation/index.html if you download Low.exe for example with Chrome/IE/Edge for example.  I don't think Firefox supports it.

    Sophos doesn't use this for scanning, web control or malicious website blocking, just download reputation once the file is downloaded.  Not the end of the world, it's just a hint to the end user that the file isn't super common, do they want to proceed.