This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding iexplore.exe

What kind of issues would I be opening myself up to if I excluded iexplore.exe from on-access scanning?  You are probably asking WHY I would want that.. we have been having issues with a web based application that runs in IE.  Right now I am in the process of testing the application without Sophos on the system at all to see how it performs.  If we see no issues running the application on a Sophos-less machine I'm afraid the only option would be to exclude iexplore.exe from on-access scanning polices.

Thoughts?



This thread was automatically locked due to age.
  • What platform are you seeing an issue with? Windows 7 and Windows 10?

    I assume that the issue is more likely to do with the Web Protection and/or Web Control feature rather than on-access?

    Are you using Sophos Central or SEC managed endpoints?

  • We are running Windows 7 64-bit and IE 32-bit.  The web protection and web control are turned off.  All traffic NOT related to this product goes through our Sophos Web Application proxy.  We are using SEC managed endpoints.

  • Just to clarify, you don't have an issue but are interested to know all the "hooks" and scanning that takes place so you can remove features one at a time that relate to IE should you have an issue?

    I can certainly help you pick things apart and isolate features on at a time.  For example:

    For the Windows 7 platform which uses a in-process web proxy, if you say: "The web protection and web control are turned off" then you shouldn't have the Sophos LSP and Sophos Filter dll loaded into iexplore.exe, can you confirm this with Process Explorer (docs.microsoft.com/.../process-explorer) when looking at the loaded modules in the iexplore.exe process.

    With those features disabled (web protection and web control) and the computer restarted there should be no reference in the Winsock catalog to the Sophos LSP.  You can check there is no referenced Sophos DLL running:
    netsh winsock show catalog > wsc.txt
    and then checking wsc.txt

    The only other module that would be loaded into the process from Sophos Anti-Virus would be detours. 
    C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll
    or
    C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll
    This is brought into the process at startup due to the AppInit_DLLs registry value referencing it in:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows

    If you have Hitman Pro, the exploit prevention and Cryptoguard piece then there would also be the hmpalert.dll file as injected into the process at startup by the hmpalert driver.

    Regards,
    Jak

     

  • I do have performance issues with specific websites in Internet Explorer.  I am in the process of trying to rule out Sophos as an issue but the jury is still out.  The vendor keeps playing the blame game so I really trying to get everything in order on the Sophos side.

    The information you have already provided is fantastic.  I will be checking out this information next week and report back.

  • I see that the iexplore.exe process has "sophos_detoured.dll" loaded with the description of "Sophos Buffer Overrun Protection".  What is the purpose of this? Can it be disabled?

     

    In my testing with a Sophos-less box performance has been very favorable and people do not want me to remove the test machine. 


  • C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll
    or
    C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll
    depending on if it's a 32 or 64-bit process is loaded into a process at startup due to the AppInit_DLLs registry value referencing it in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows

    This is used for the buffer over flow feature and is also used if you're using Data Control policy.  If you have HMPA it's questionable how much you need this for Buffer Overflow.

    You can permanently prevent the appinit_dlls entry being created by the Sophos Anti-Virus installer by creating the registry key:

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    It it's already installed (as you can create the above before installation) you could remove the Sophos paths from the AppInit_DLLs keys above and restart the computer.

    Jak

  • The other option you could toggle, which isn't a module loaded into iexplore.exe is Live Protection.  They delays could be due to a live protection lookup.

  • What is HMPA? We are not using data control.

     

    Is there no way to just stop the DLL from being loaded into Internet Explorer?

  • HMPA is HitmanPro Alert and is the exploit mitigation component as part of Intercept X.

    The way that DLL is loaded, it is loaded for pretty much all processes.  See: https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value 

    All or nothing.

    Regards,

    Jak

  • We do not have HMPA or use data control.  What potential risks are we opening ourselves up to by NOT loading the Sophos detours.dll file?