This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@




[locked by: SupportFlo at 10:57 PM (GMT -8) on 8 Mar 2019]
Parents
  • We have been experiencing this issue since November of 2017 and finally pinned it down to Sophos as well.  I had to disable Web Browser Projection on 900 PCs because this has rendered them useless.  Hopefully Sophos can get this resolved.

    I hope they get the Internet Explorer Lockdown issue fixed as well.

  • Hello Brian,

     

    Did you get a permanent fix from Sophos in this regards? We Just started rolling out Win 10-1709 and we bumped into this issue on test boxes. 

    So just checking?

  • Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up:

     

    we found that the reason these detections are being generated is due to the interaction between the hmpa scanning internet explorer and the "dinput8.dll" Active-X control driver being loaded into the web browser. Reviewing the documentation from development, this issue is due to both of the drivers trying to modify the same bit of memory. This causes what is known as a "Race Condition" with the two drivers causing the webpage to stop loading data appropriately. Intercept X will protect the memory spaces after the initial alteration made by loading the drivers, however with the interactions that we have seen, the loaded DLL will spawn another process that comes back and needs to make a change to the now protected memory location resulting in the crash.

    At this time, the suggested workaround if you have functions that need to be performed through IE is to disable the scanning of Web Browsers. This will effectively stop Intercept X from protecting the memory spaces in use by Internet Explorer so that this app crash no longer occurs. It is possible to do so by navigating into the Threat Protection policy that is assigned to the affected machine(s) in order to de-select the check box "Protect Web Browsers" located under "Runtime Protection"

    Our development teams have a fix slated to be released in Q2 of 2018. At this time the fix is in the testing phase. I will be passing the logs collected during our session, over to our development teams for further investigation should this be needed. Moving forward if you would like an updated ETA on the release of this fix, please feel free to call or e-mail in and reference the following code [WINEP-12407] and our techs will be able to provide you with some additional information if it has been released. I will be setting this case to an awaiting product status and will update you as additional information is released by our development teams.

  • That is awesome news (I think).  It stinks that we have to disable protection of browsers but I guess the first step is admitting that there is a problem:)  I look forward to getting this issue finally behind us.

  • DevinBrown said:

    Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up: 

     

    Awesome - thanks!

     

    Adam

  • Thank you so much for posting this! it is the most informative response from Sophos we have seen so far.

     

    :D

  • I also have this issue on some computers

  • Well noted and thank you sharing important information with us.

  • Hi Everyone,

    The reported issue is brought to the attention of the concerned team and it is actively being investigated internally by our team (ID reference: WINEP-12407). I will keep this thread updated periodically with developments.  At the moment I believe  has already provided the possible workarounds and the logs that would be required for the support to investigate it.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • I reported this issue in December, 4 months ago.  Sad.

  • I have been told by the Support the Next Release of Q2 This would be fixed. Right now Windows 10  - 1709 are being rolled out with Browser Protection Disabled.

     

     I Hope this would be solved with the Q2 Release.

  • Any idea why this took 5 months to get going on the Sophos side?  We have been struggling with this since November.  Our EHR system runs via Internet explorer and we have exhausted every avenue with GE in regards to this crashing issue.  I find it rather pathetic that Sophos sat on their hands on this issue.  The good news is that GE Centricity has decided to strip preferred vendor status away from Sophos because of this issue.

Reply
  • Any idea why this took 5 months to get going on the Sophos side?  We have been struggling with this since November.  Our EHR system runs via Internet explorer and we have exhausted every avenue with GE in regards to this crashing issue.  I find it rather pathetic that Sophos sat on their hands on this issue.  The good news is that GE Centricity has decided to strip preferred vendor status away from Sophos because of this issue.

Children
  • I completely agree with you, this is not acceptable at all. On our side, we had to deactivate Intercept X on all our Windows 10 version 1709 stations because of the mutiple daily crashes in IE11. When communicating with the Sophos support, they keep telling me it's going to be fixed in Q2. Could be next week, could be in June for all I know...

     

    Sophos, wake up! This is a serious issue. We are paying for Intercept X, but have to deactivate it on our users workstations in order for them to be able to work normally.

  • Don't take this like I'm blaming you, but is there a specific reason they have to use IE?  I totally agree the lack of transparency on this issue is troubling especially since I'm a partner and rely on the vendor to be upfront and honest so I can be with the customer.  

    All in all, my personal belief is if an application only works in IE, then it's time to find a replacement.  I still can't believe Trend Micro still requires ActiveX to open their Worry-Free Business Security console.

  • In our case our EHR only functions using IE because the client plugin were developed only for IE.  To replace our EHR would cost somewhere in the ballpark of $3,000,000 so I don't think that this would be a viable option for us.

  • Only IE11 fully supports all the functionalities of SharePoint 2013. As much as I would like to move to Chrome, it's not possible because of that.

     

    Also, as the IT Director for our organization and in charge of the help desk, we can't support all browsers out there. We only support one. That's a pretty standard policy for companies.

  • Similar situation here w/ EMR requiring IE to run...mainly due to Active X. Hopefully down the road this will change - but for now, we have 30 assets running Win 10 that are not able to run Intercept X. The Root Case Analysis feature was the main reason we purchased Int X, other than the anti-ransomware protection. 3 year term and we're unable to use the product as it was sold to us for many months now. 

    Funny, Sophos was tweeting about Int X  how its a good time to review how they have infused to power of machine learning and I responded, pointing to this thread - yielded no response. 

    twitter.com/.../982323323530039299

  • Dustin Winger said:

    In our case our EHR only functions using IE because the client plugin were developed only for IE.  To replace our EHR would cost somewhere in the ballpark of $3,000,000 so I don't think that this would be a viable option for us.

     

    No, I totally agree that isn't feasible.  I know in the medical sector it's not simple to just make changes to your program; just sucks that when they develop such programs that only work with IE when their market share is pretty low.  Just a quick Google search shows Chrome has 60.14% and IE only 12.46%.

  • David Kirouac said:

    Only IE11 fully supports all the functionalities of SharePoint 2013. As much as I would like to move to Chrome, it's not possible because of that.

     

    Also, as the IT Director for our organization and in charge of the help desk, we can't support all browsers out there. We only support one. That's a pretty standard policy for companies.

     

     

    I'm with you on not supporting every web browser out there.  Without knowing the back story behind everyone having issues it's hard to determine if this was something that could've been avoided.

    I usually will do the 30 day trial (sometimes getting it extended) to make sure it doesn't interfere with any business applications.