Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have been experiencing this issue since November of 2017 and finally pinned it down to Sophos as well.  I had to disable Web Browser Projection on 900 PCs because this has rendered them useless.  Hopefully Sophos can get this resolved.

I hope they get the Internet Explorer Lockdown issue fixed as well.

We have been experiencing this issue since November of 2017 and finally pinned it down to Sophos as well.  I had to disable Web Browser Projection on 900 PCs because this has rendered them useless.  Hopefully Sophos can get this resolved.

I hope they get the Internet Explorer Lockdown issue fixed as well.

Unknown said:

I hope they get the Internet Explorer Lockdown issue fixed as well.

I have a few websites with applications that trigger the IE Lockdown that I've been trying to pin down.  The website is a county GIS website: https://www.senecatechnologies.com/webgis, launching the SenecaInvo/WebGIS login app from the upper right throws the exploit.  Adding the site to Trusted Sites didn't work.  I had the same issue with the www.puresafety.com site.

I had the same issue with the Apple VPP site but that one appears to be fixed.  Sophos support said that all of the sites were running VBScript God Mode which I am 100% certain isn't the case, especially with Apple.  Nobody at Apple would do anything in VB Script.

The errors above are only triggered in IE.  I can open them in MS Edge and FireFox and they work fine.  I am also sitting behind an XG firewall that is letting them pass through.  That leads me to believe it is something with Intercept X.

I even have a few application installations that trigger this exploit.  They have nothing to do with IE.  The only way to get the install to work is to disable the Hitman pro service.  

Hello Brian,

Did you get a permanent fix from Sophos in this regards? We Just started rolling out Win 10-1709 and we bumped into this issue on test boxes. 

So just checking?

It's been weeks since I've heard anything from Sophos support on any of my open issues.  I've never had such a poor experience with an enterprise level company.  So disappointing.  We're getting by with features disabled on many PCs.

Sophos have confirmed that there is an issue and they are currently working on the problem.  The issue appears to indicate an issue with how Sophos interacts with dinput8.dll.  We are excluding browsers from exploit mitigation and IE11 is now stable under these conditions.

Well Thanks for your response. Expect Sophos to look into this.

Just adding a 'Me Too' to this issue. Started as soon as machines updated to Windows 10 1709. Going to try removing browsers from exploit mitigation an see if that helps while we are waiting for a Sophos fix

Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up:

we found that the reason these detections are being generated is due to the interaction between the hmpa scanning internet explorer and the "dinput8.dll" Active-X control driver being loaded into the web browser. Reviewing the documentation from development, this issue is due to both of the drivers trying to modify the same bit of memory. This causes what is known as a "Race Condition" with the two drivers causing the webpage to stop loading data appropriately. Intercept X will protect the memory spaces after the initial alteration made by loading the drivers, however with the interactions that we have seen, the loaded DLL will spawn another process that comes back and needs to make a change to the now protected memory location resulting in the crash.

At this time, the suggested workaround if you have functions that need to be performed through IE is to disable the scanning of Web Browsers. This will effectively stop Intercept X from protecting the memory spaces in use by Internet Explorer so that this app crash no longer occurs. It is possible to do so by navigating into the Threat Protection policy that is assigned to the affected machine(s) in order to de-select the check box "Protect Web Browsers" located under "Runtime Protection"

Our development teams have a fix slated to be released in Q2 of 2018. At this time the fix is in the testing phase. I will be passing the logs collected during our session, over to our development teams for further investigation should this be needed. Moving forward if you would like an updated ETA on the release of this fix, please feel free to call or e-mail in and reference the following code [WINEP-12407] and our techs will be able to provide you with some additional information if it has been released. I will be setting this case to an awaiting product status and will update you as additional information is released by our development teams.

That is awesome news (I think).  It stinks that we have to disable protection of browsers but I guess the first step is admitting that there is a problem:)  I look forward to getting this issue finally behind us.

DevinBrown said:

Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up: 

Awesome - thanks!

Adam