Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 19 subscribers
  • Views 6262 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A problem occurred when our devices received the latest update

Point7

Every time I opened MS Access 2003, the app crashes with KERNELBASE.dll as the fault module, but when I uninstalled sophos I can open my MS Access files. Here are the further details:

Problem Event Name: APPCRASH
Application Name: MSACCESS.EXE
Application Version: 11.0.5614.0
Application Timestamp: 3f3c8e3c
Fault Module Name: KERNELBASE.dll
Fault Module Version: 6.1.7601.24545
Fault Module Timestamp: 5e0eb7d0
Exception Code: e06d7363
Exception Offset: 0000845d
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
LCID: 1033
Brand: Office11Crash
skulcid: 1033

Read our privacy statement online:
go.microsoft.com/.../

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt



This thread was automatically locked due to age.
Parents
  • 0

    Also nothing short of uninstalling Sophos works to resolve the issue.  Shutting off all sophos services/real time scanning/etc. doesn't help at all.  Even worse, Sophos itself doesn't even log the blockage and there is no record of it anywhere that i've seen.  However, if uninstalling Sophos fixes it, and installing it breaks it, it's definitely sophos.

  • 0 in reply to Sophos User5219

    Same for us. Access 2003 database causes the exact application error above.
    The isolations (HMP, SAV, ED) given above did not resolve the problem, even with all three disabled at once.
    We used procdump as recommended, but though our user of our Access database continued to throw the error above in the event viewer Application log, procdump generated no dumpfile for us.

    We tried exceptions on the database file location and on MSACCESS.EXE itself, no success there.

    Uninstalling Sophos, we instantly can use Access 2003.

    I am opening a support case.

  • 0 in reply to Bethany Keech

    My fix for now is to move people to Access 2010 runtime.  Seems to be ok so far. 

  • 0 in reply to Bethany Keech

    Hi, have you received some suggestions from support, about this problem ?

  • +1 in reply to sistinfo forli

    From the dump I saw reproducing this with Office 2003, the issue is with the Office 2003 version only. Access 2010 opening the same file is fine.

    The following Sophos DLL: "sophosofficeav.dll" is loaded into a process such as MSAccess.exe as a result of Sophos using the IOfficeAntiVirus interface to get a call back for download reputation scanning.

    32-bit processes load: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll"

    64-bit processes load "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x64\sophosofficeav.dll"

    I assume the MSAccess.exe you are using is 32-bit given the age.

    The Scan method IOfficeAntiVirus::Scan method (Windows) | Microsoft Docs in the DLL is passed a MSOAVINFO structure. When passed on 2003 the szOrigURL value of this structure is garbage. MSOAVINFO structure (Windows) | Microsoft Docs which leads to an access violation.

    Sophos said they can workaround this in the DLL but I guess you can disable Tamper and rename "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll". Next time MSAccess.exe launches, the DLL will not be pulled in. 

  • 0 in reply to Sophos User930

    Many Thanks user930 for your suggestions.

    Renaming "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll" works fine, but temporary solution. I don't know exactly what does it means for sophos client operation, but I presume not so well.

    Have a nice day

  • 0 in reply to sistinfo forli

    WINEP-38613 is in Core Agent 2.20.11

    Sophos Network Threat Protection updated to version 1.15.835.

    WINEP-38613

    		 Sophos Network Threat Protection Resolved an issue where sophosofficeav.dll produced an access violation when managing Microsoft Office documents.

    See "Sophos Core Agent" under: https://docs.sophos.com/releasenotes/index.html?productGroup 

  • 0 in reply to sistinfo forli

    It is used for Download reputation, i.e. the browser downloads a file, this interfaces allows browsers for example to request a scan following download before the file is made available to the user. Sophos uses is for the Download reputation box you see if a file is of low reputation following a download.  You can test it here: https://sophostest.com/reputation/index.html if you download Low.exe for example with Chrome/IE/Edge for example.  I don't think Firefox supports it.

    Sophos doesn't use this for scanning, web control or malicious website blocking, just download reputation once the file is downloaded.  Not the end of the world, it's just a hint to the end user that the file isn't super common, do they want to proceed.

Reply
  • 0 in reply to sistinfo forli

    It is used for Download reputation, i.e. the browser downloads a file, this interfaces allows browsers for example to request a scan following download before the file is made available to the user. Sophos uses is for the Download reputation box you see if a file is of low reputation following a download.  You can test it here: https://sophostest.com/reputation/index.html if you download Low.exe for example with Chrome/IE/Edge for example.  I don't think Firefox supports it.

    Sophos doesn't use this for scanning, web control or malicious website blocking, just download reputation once the file is downloaded.  Not the end of the world, it's just a hint to the end user that the file isn't super common, do they want to proceed.

Children
No Data
Unfiltered HTML