Is anyone else having Chrome report "Sophos Anti-Virus" as an incompatible application after a crash and do Sophos have any plans to address the issue?
A good write-up of the issue can be found here:
Thanks,
Michael
Hi Michael Gilmour,
According to the article that you posted:
"When it comes to security software, I would think more people would prefer to have a fully functional antivirus software on their computer with occasional browser crashes, rather than no protection at all. Therefore, if Chrome is displaying your antivirus software as an incompatible application, I suggest you ignore the warning for now."
I'd like to gather additional information so that we can better assist you:
What's the exact Sophos version installed (and are there any other Sophos products in place?)
What's the Chrome version?
What's your OS?
You mentioned a crash, what crashed? Chrome? Sophos? Do you have any dmp files or crash files that we can review?
Are there any addons involved?
Are all of your machines presenting this behavior?
Regards,
Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Depending on the OS and the features enabled there will be a number of modules injected into the Chrome.exe process by default. These can be seen by using a tool such as Process Explorer.
1. sophos_detoured_x64.dll / sophos_detoured.dll
This DLL is a "AppInit_DLLs" for Data Control and BOPS depending on the version of SAV installed.
https://support.microsoft.com/en-gb/help/197571/working-with-the-appinit-dlls-registry-value
2. hmpalert.dll
This DLL is injected into processes by the HMPA service for exploit mitigation.
3. swi_filter_64.dll / swi_filter.dll and swi_ifslsp_64.dll / swi_ifslsp.dll
If you are using Windows 7 / 2008R2 and have Web Protection or Web Control functionality enabled then a Layered Service Provider (LSP) is installed in the system. As the LSP is referenced in the Winsock Catalog the Chrome.exe process will load this module and the associated filter dll. This is to perform in process filtering of web traffic.
On Windows 8.1/Windows 10, etc.. this is performed out of process so no module is loaded into Chrome.
So what OS and the features you have enabled/installed are important here.
Regards,
Jak
Thanks Barb & Jak,
we've only had one report of this so far, by a colleague, so it may be going unreported elsewhere. I notice the Chrome dev mentioned in the original linked article suggests "this feature is currently considered experimental so not all users will see these warnings" which might explain why I'm unable to replicate it.
The particular incident was seen after Chrome crashed and was relaunched in the following environment:
Windows 10 x64 1709
Chrome x64 v68.0.3440.106
Sophos SEC 10.8
Web protection enabled
Sophos EXP (HMPA) enabled
The original article makes it clear why the behaviour is being seen and suggests it may not even be Sophos that had caused the crash in the first place but my concern is that Sophos is taking the rap and is being suggested to be uninstalled (luckily our users don't have the rights to do that).
My next concern is the statement that the Chrome dev makes is that rather a warning, the actual behaviour will be blocked in a future version of Chrome. When this happens will we have all the same AV functionality in Chrome that we do now or will some protections be lost?
Note, the note at the bottom of the following article suggests that the blocking (rather than warning) behaviour may have already started (with Chrome 69) : blog.chromium.org/.../reducing-chrome-crashes-caused-by-third.html
"Updated 2018-06-21: Third-party software will be blocked from injecting code into Chrome on Windows starting in Chrome 69."
As long as Sophos have things in hand with Chrome that's fine, I just wanted to check that they do as information on the issue/behaviour seems a bit sparse. If you would like me to raise a support call I will but am currently unable to replicate.
Thanks again,
Michael
Hi Michael Gilmour,
This is something that needs to be checked with Chrome as Sophos is behaving as expected injecting into chrome to monitor malicious activity. The following thread provides additional insight on the alert that you are seeing and the Chrome Dev has explained it in brief. At this point of time Chrome is just alerting the applications that are trying to inject into chrome and it doesn't block, so there is no degradation on the level of protection that we offer.
Regards,
Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Hello
We have many crash problems with Sophos Web Filtering and Chrome v71, only for local hosted site.
very very slow... and after a few minutes, crash and no answer, no way to restart Chrome.
W10 / Sophos 10.8 / Triton Endpoint
We stopped the "Sophos Web Filter" (system name: swi_filter) and no more problem, so do you know about a known issue ?
thanks
I am not aware of any known issues that match the scenario that you have reported. However, we did have Sophos Intercept X/Exploit Prevention having compatibility issues with Triton DLP.
Can you try removing Trition Endpoint and check if the issue is still seen? if yes, I would suggest you to contact our support to have this investigated.
Regards,
Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Hi Gowtham Mani jak
yes with removing Triton, no problem
Forcepoint support confirmed having incompatibily issue with Sophos, and Chrome for navigator, testing actually to whitelist Sophos Component,
i keep you informed
thanks
