Is there an issue with Sophos Intercept X and Internet Explorer 11?

I've had the issue described in this thread since Nov, 2017, when our company first started using Sophos Central and InterceptX.  I've had a case open for a couple months now.  IE crashes on Win 10 systems so frequently it's almost unusable. 

At the current time, a reliable workaround for us is to disable "Shockwave Flash Object" in IE.  With that disabled, I'm able to use IE successfully without disabling any Sophos components.  I'm curious if this will work for others.  I've only done it on some test PCs so far.

We also have been experiencing the same issue since migrated to Sophos Central and InterceptX.  I implemented the Shockwave Flash change on a test group but have seen a couple of failures since although the rate has been much lower.  We have a call open with Sophos but have not had any meaningful advise or feedback so far. 

I will look to implemenet the rename of the hmpralert.dll and see if this has any impact. 

Kevin

kevin Whiteman said:

We also have been experiencing the same issue since migrated to Sophos Central and InterceptX.  I implemented the Shockwave Flash change on a test group but have seen a couple of failures since although the rate has been much lower.  We have a call open with Sophos but have not had any meaningful advise or feedback so far. 

I will look to implemenet the rename of the hmpralert.dll and see if this has any impact. 

Kevin

 

Yes, we rolled this out as a Group Policy.  While it does seem to be a bit better, Internet Explorer is still crashing.  Did renaming the DLL make any difference?

Disabling InterceptX will prevent the IE crashes in Win 10.  Renaming the DLL for Hitman Pro Alert is one way, but you have to do that at the client.  Here's a way to disable InterceptX in the console for only the clients you choose:

• On the left side menu in the console, under Manage Protection, click Computers
• On the right at top, click the Manage Endpoint Software button
• In the window that pops up, under Software List, click "Intercept X"
• Move any computers from the Assigned Computers group to the Eligible Computers group.
• Save and close the window.
• Once the clients grab this update, InterceptX will be disabled.  I believe they will want to reboot anytime this is disabled/enabled.

Obviously disabled InterceptX is not something we want to do, but if disabling Shockwave Flash isn't enough of a work around, this is an option until we have a final solution. 

I am very unhappy with Sophos support on this and other issues.  Communication from them is very infrequent.  I've had to ask the same questions 2 & 3 times before getting answers.  The were unwilling to own this issue in the beginning, hinting "no one else is reporting this issue."  They have asked me to do testing, generate logs, dumps, even this week asking for more dumps.  This is very time consuming.  It should be very simple for them to test and generate these in-house.  None of the issues I raised over the last 2+ months have resolution, the only workarounds have been to disable components.  I've never had such an unsatisfactory support experience with a software vendor.

David Fosbenner said:

Disabling InterceptX will prevent the IE crashes in Win 10.  Renaming the DLL for Hitman Pro Alert is one way, but you have to do that at the client.  Here's a way to disable InterceptX in the console for only the clients you choose:

• On the left side menu in the console, under Manage Protection, click Computers
• On the right at top, click the Manage Endpoint Software button
• In the window that pops up, under Software List, click "Intercept X"
• Move any computers from the Assigned Computers group to the Eligible Computers group.
• Save and close the window.
• Once the clients grab this update, InterceptX will be disabled.  I believe they will want to reboot anytime this is disabled/enabled.

Obviously disabled InterceptX is not something we want to do, but if disabling Shockwave Flash isn't enough of a work around, this is an option until we have a final solution. 

I am very unhappy with Sophos support on this and other issues.  Communication from them is very infrequent.  I've had to ask the same questions 2 & 3 times before getting answers.  The were unwilling to own this issue in the beginning, hinting "no one else is reporting this issue."  They have asked me to do testing, generate logs, dumps, even this week asking for more dumps.  This is very time consuming.  It should be very simple for them to test and generate these in-house.  None of the issues I raised over the last 2+ months have resolution, the only workarounds have been to disable components.  I've never had such an unsatisfactory support experience with a software vendor.

 

 

 

 

I don't think you are the only one frustrated by Sophos support or lack of!

I've given the definition of insanity a run for its money trying to get to the bottom of this same issue also.

Our EMR will only run in IE due to high dependency on ActiveX.

Anytime Microsoft pushed out significant updates to Win10, I would have to reconfigure the internet security options under trusted sites on those workstations browsers. 

Recently, IE would just trigger a message (Internet Explorer has stopped working) - and I have spent at least 10 hours since the new year trying every trick I know to get our users running stable. 

Finally, when parsing through event logs I noticed a common trend in that C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE & C:\WINDOWS\system32\dinput8.dll were common denominators and searched that string. I landed on the Microsoft TechNet discussion where almost everyone there had an additional common factor - they all use Sophos!

We purchased licenses for Intercept X for a reason, and now the only work around is to disable that protection on Windows 10 workstations? The renaming of the hitman .dll - is that an alternative? What exactly needs to be done in that case?

"The renaming of the hitman .dll - is that an alternative?"

John, the component "Hitman Pro Alert" is InterceptX.  So the DLL mentioned just prevents IX from loading.

Support did mention DINPUT8.DLL to me when the examined my logs.  They were like "this is what's crashing, so it's a Microsoft issue."  OMG!!  No, it's a Sophos issue.

Thanks for that point of clarification David.

I just removed one of the windows 10 workstations I had assigned Int X on via Managed Endpoint Software that was problematic, rebooted and shes running fine now - with no crashing issues.

Its obviously not a Microsoft issue!

I've added this to the list of topics to discuss with our account manager, account executive, sophos engineer, and upgrade/renewals staff @Sophos on our next review call. 

I'm waiting to hear back from the end-user, but I saw first hand IE crashing whenever he loaded it (I even had Shockwave disabled as well).  I thought maybe it was something to do with his home page which was MSN (Lenovo) so I changed it to Google and IE didn't crash when opening.  Had him access his main sites and everything was working.

If it continues to work (which I'll report back on), maybe check to see what home page the user has. 

If anyone has any dumps of the iexplorer.exe process from the crashes, having installed procdump as per my previous post on this thread, can you install Windbg either from the SDK or even Windbg Preview from the Microsoft Store.  After doing so can you paste the contents of running the command:
!analyze -v
It will be interesting to see if everyone is seeing the same error.

Regards,
Jak