Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9's Buffer Overflow Protection System (BOPS) and Internet Explorer 8

JonKloske

Hi,

Just wondering if anyone else has noticed any odd behavior of Internet Explorer since upgrading from Sophos 7 to Sophos 9?

We've found that on a substantial portion of our machines (Windows XP, Windows Server 2003, and possibly even Windows 7) suffer from a reproducible but statistical-in-nature deadlock in Internet Explorer.

I originally reported the problem on Microsoft's Technet forums (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/ef0a7af9-26b9-45b5-a05e-0cfd88c42aee) however it soon became clear that the culprit was Sophos_detoured.dll, part of the BOPS in Sophos 9 (and the timeline of the problem occurred very shortly after upgrading substantial portions of our machines to Sophos 9 from the original Sophos 7 clients they had installed.)

I notice someone else on the MS forums said they had the same problem, so I thought I'd post this here to achieve two things:

1. If other people experience this problem, they may know what's causing it instead of tearing their hair out about it

and

2. Perhaps other people have suggestions or advice

I should point out that we have an open ticket with Sophos about this at the moment [#2345512], and I've discovered at least two workarounds (which are both effectively the same workaround from different directions), so I'm not necessarily after assistance, just healthy discussion and information sharing.

As an aside, after I posted about this issue in a similar way on our internal forums, another IT staff member from a completely unrelated area responded along the lines of "Ahhh! That's what's causing it! We've just been reformatting and re-installing windows since we were stumped by the problems, and we never connected it with the recent upgrade to 9!"

And finally, the easiest workaround to the problem is to disable BOPS and reboot. There's a reghack that achieves effectively the same thing involving the AppInit_DLLs key (see the referenced microsoft forum post for details if you're brave.)

Cheers,

Jon.

:3208


This thread was automatically locked due to age.
  • 0

    YES I also experience this and it is very frustrating.  I have basically switched over to using Google Chrome, but that is not a workaround that is acceptable to my end users.  

    Unlike you I have been unable to resolve the problem.  Can you post the workaround that works for you?  Edit: I see there are workarounds posted on the TechNet forum. I'll try those now.

    :3366
    • 0

      JonKloske you are a God! 

      After I modified the "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" key and removed the entry for the sophos-related DLL my problem with IE hangs went away. (that was the only value in the key on my system)

      Actually, since I am running Win7, I also set the new "LoadAppInit_DLLs" key back to the default of "0" at the same time. (Looks like Sophos changes that key to "1" during install).   

      thank you thank you thank you.

      :3412
      • 0

        Jon, 

        Have you done any testing by modifying your Sophos Enterprise Console policy by visiting  "Anti-virus and HIPS policy" -> HIPS runtime behavior ->  unchecking the "Detect buffer overflows" option?

        I'm wondering if that would work as a workaround instead of pushing out a registry change to all client machines?

        I suppose another option would be adding the IE executable to the Authorization Manager -> Buffer Overflow tab?

        :3413
        • 0

          Hi Lestat,

          Yes, the registry patch does the same thing as disabling "Detect buffer overflows" in the HIPS runtime behavior section of the clients.

          We updated our console policy to tell the clients to disable this, however as with most settings in the console we've had limited success with it on the clients: some of them update to the new policy (though technically it requires a reboot before it works fully), some of them don't.

          I tried adding iexplore.exe to the authorization manager but I don't think that actually stops the appinit_dlls key from containing that for internet explorer, merely that if IE does overflow it'll just let it continue (whereas this is a deadlock problem that's deeper than simply sophos' specific behavior.)

          Kind of a problem with the AppInit_DLLs key though is that it's hard to update properly, because other products (eg, google desktop search for example) also add entries here, so you can't just blanket blow it away on clients as it can cause other things to stop working.

          Anyway, Sophos is apparently unable to reproduce this problem on their test lab (though this is a common problem I encounter trying to get support for pretty much every piece of software I look after), so I've kind of gotten bored and moved onto my actual job (since I spent a month trying to get this and about 10 other issues sorted out and got largely nowhere with all but a couple of them where I managed to figure local workarounds out to like this one.)

          Cheers,

          Jon.

          :3484
          • 0

            Hi Sandy,

            I can't seem to find an option to mark a thread as "partially solved", just "solved" (which will mean everyone will stop contributing and Sophos will just forget about the problem which is completely counter to the purpose of this thread.)

            This problem is not yet solved, though we do have a typically cumbersome and unwieldy workaround for it which works in a patchy fashion.

            Regards,

            Jon.

            :3485
            • 0

              Hi Sandy,

              Yes, this post is related to the one in the SB section, in that I just thought I'd throw this out there as a possible cause. But I also definitely wanted to have a dedicated thread about it since it's a confirmed problem in several places here and clearly with other clients as well (in spite of Sophos not being able to confirm it in their test labs).

              Cheers,

              Jon.

              :3486
                • 0

                  Interesting - my desktop is a quad core as well (with HT, so 8 logical processors)... the ones in the lab that were affected were dual cores (don't think they had HT).... we didn't get as any reports from single core non HT machines, though that doesn't necessarily mean they weren't affected (plus there's almost none of them left anymore.)

                  I'll do some poking around and see if I can confirm that.

                  :3504
                  • 0

                    We have about 40 acer revo r3600's. These seem to be having major problems. My first thought was maybe the nvidia ion chipset/driver.

                    :3516
                    • 0

                      Hi James,

                      Do you mean to say that you have confirmed you are also affected by this problem which is specific to Internet Explorer? If not, you should start a new thread and provide as much information as you can on what exactly is happening with your Acer PCs. If so, there's a workaround near the top of this page.

                      Regards,

                      Jon.

                      :3517
                      Unfiltered HTML