Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 3 subscribers
  • Views 29079 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding iexplore.exe

CDB

What kind of issues would I be opening myself up to if I excluded iexplore.exe from on-access scanning?  You are probably asking WHY I would want that.. we have been having issues with a web based application that runs in IE.  Right now I am in the process of testing the application without Sophos on the system at all to see how it performs.  If we see no issues running the application on a Sophos-less machine I'm afraid the only option would be to exclude iexplore.exe from on-access scanning polices.

Thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    What platform are you seeing an issue with? Windows 7 and Windows 10?

    I assume that the issue is more likely to do with the Web Protection and/or Web Control feature rather than on-access?

    Are you using Sophos Central or SEC managed endpoints?

  • 0 in reply to jak

    We are running Windows 7 64-bit and IE 32-bit.  The web protection and web control are turned off.  All traffic NOT related to this product goes through our Sophos Web Application proxy.  We are using SEC managed endpoints.

  • 0 in reply to CDB

    Just to clarify, you don't have an issue but are interested to know all the "hooks" and scanning that takes place so you can remove features one at a time that relate to IE should you have an issue?

    I can certainly help you pick things apart and isolate features on at a time.  For example:

    For the Windows 7 platform which uses a in-process web proxy, if you say: "The web protection and web control are turned off" then you shouldn't have the Sophos LSP and Sophos Filter dll loaded into iexplore.exe, can you confirm this with Process Explorer (docs.microsoft.com/.../process-explorer) when looking at the loaded modules in the iexplore.exe process.

    With those features disabled (web protection and web control) and the computer restarted there should be no reference in the Winsock catalog to the Sophos LSP.  You can check there is no referenced Sophos DLL running:
    netsh winsock show catalog > wsc.txt
    and then checking wsc.txt

    The only other module that would be loaded into the process from Sophos Anti-Virus would be detours. 
    C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll
    or
    C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll
    This is brought into the process at startup due to the AppInit_DLLs registry value referencing it in:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows

    If you have Hitman Pro, the exploit prevention and Cryptoguard piece then there would also be the hmpalert.dll file as injected into the process at startup by the hmpalert driver.

    Regards,
    Jak

     

  • 0 in reply to jak

    I do have performance issues with specific websites in Internet Explorer.  I am in the process of trying to rule out Sophos as an issue but the jury is still out.  The vendor keeps playing the blame game so I really trying to get everything in order on the Sophos side.

    The information you have already provided is fantastic.  I will be checking out this information next week and report back.

Reply
  • 0 in reply to jak

    I do have performance issues with specific websites in Internet Explorer.  I am in the process of trying to rule out Sophos as an issue but the jury is still out.  The vendor keeps playing the blame game so I really trying to get everything in order on the Sophos side.

    The information you have already provided is fantastic.  I will be checking out this information next week and report back.

Children
No Data
Unfiltered HTML