This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 10.7.1.VE3.68.0 crashes web browsers

Doing a evaluation of Sophos to replace our existing endpoint protection. 

All was well until the latest update. 10.7.1 VE3.68.0  seems to cause my web browsers to crash after you try to close the browser. The browser process gets hung and you cannot even end the process. Launching the browser again gets you a message saying that you do not have sufficient rights to access a file path. 

Trying another browser that has not been launched, just sits and spins trying to connect to the web. 

Running the Endpoint Protection and Device Encryption. Not running Intercept X.

All policies are active with some minor tweaks to them.

 

Has anyone had this problem and have a solution?

 

Really liking the product.



This thread was automatically locked due to age.
Parents
  • Hi,

    There are a couple of approaches to try here:

    1. Remove modules loaded by the browser until the issue hopefully goes away.  This at least narrows it down.
    2. Create dump files.

     

    For point 1, it would be good to know the OS but a common module would be Sophos Detours.  You can prevent that loading as a quick test by changing the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    LoadAppInit_DLLs = 0

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
    LoadAppInit_DLLs = 0

    and restarting the browser.  Do you see the same problem?

    Note: This will stop all DLLs in the AppInit_DLLs value (same key as above) from loading into processes.  Maybe you have some in that list you need from other software? In which case, rather than disabling all, you could remove the Sophos DLL from the AppInit_DLLs value.

    Otherwise, I would consider running Process Explorer to see what other third party modules are being loaded into the browser processes and look to remove those.  These can be seen by enabling the lower pane and setting the DLL view.

     

    For point 2. Distinguishing between a crash and a hang is important as the method to obtaining dumps would be different.

    For the crashing case I would:

    1. Download procdump (https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)
    2. Create the directory: C:\dumps
    3. Probably copy procdump.exe to that directory so it's in less of a temp path.
    4. Run in an admin command prompt:

      procdump -ma -mk -i c:\dumps

    Note: This will register Procdump on the system as the default postmortem debugger.  You can use the -u switch to procdump to uninstall/unregister it if needed.

    The next time a process crashes you should get a couple of dump files.

    For the hang case.  

    1. Download procdump (https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)
    2. Create the directory C:\dumps
    3. Probably copy procdump.exe to that directory so it's in less of a temp path.
    4. When a process has hung:
      procdump -ma -mk [processname]

    Notes:

    • This will create you a dump (or 2 in the case of using mk and ma switches).
    • If you have multiple processes with the same name, i.e. Iexplore.exe, then I would suggest obtaining the PID of these processes with say Process Explorer (as this also gives you a nice view of the parent/child relationship). You can then use:
      procdump -ma -mk [PID]
      You can do this for each PID of IE for example.

    I'd be happy to take a look at the dumps.

    Regards,

    Jak

     

Reply
  • Hi,

    There are a couple of approaches to try here:

    1. Remove modules loaded by the browser until the issue hopefully goes away.  This at least narrows it down.
    2. Create dump files.

     

    For point 1, it would be good to know the OS but a common module would be Sophos Detours.  You can prevent that loading as a quick test by changing the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    LoadAppInit_DLLs = 0

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
    LoadAppInit_DLLs = 0

    and restarting the browser.  Do you see the same problem?

    Note: This will stop all DLLs in the AppInit_DLLs value (same key as above) from loading into processes.  Maybe you have some in that list you need from other software? In which case, rather than disabling all, you could remove the Sophos DLL from the AppInit_DLLs value.

    Otherwise, I would consider running Process Explorer to see what other third party modules are being loaded into the browser processes and look to remove those.  These can be seen by enabling the lower pane and setting the DLL view.

     

    For point 2. Distinguishing between a crash and a hang is important as the method to obtaining dumps would be different.

    For the crashing case I would:

    1. Download procdump (https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)
    2. Create the directory: C:\dumps
    3. Probably copy procdump.exe to that directory so it's in less of a temp path.
    4. Run in an admin command prompt:

      procdump -ma -mk -i c:\dumps

    Note: This will register Procdump on the system as the default postmortem debugger.  You can use the -u switch to procdump to uninstall/unregister it if needed.

    The next time a process crashes you should get a couple of dump files.

    For the hang case.  

    1. Download procdump (https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)
    2. Create the directory C:\dumps
    3. Probably copy procdump.exe to that directory so it's in less of a temp path.
    4. When a process has hung:
      procdump -ma -mk [processname]

    Notes:

    • This will create you a dump (or 2 in the case of using mk and ma switches).
    • If you have multiple processes with the same name, i.e. Iexplore.exe, then I would suggest obtaining the PID of these processes with say Process Explorer (as this also gives you a nice view of the parent/child relationship). You can then use:
      procdump -ma -mk [PID]
      You can do this for each PID of IE for example.

    I'd be happy to take a look at the dumps.

    Regards,

    Jak

     

Children
No Data