This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Software hangs with Endpoint installed.

This software hangs.

I’ve tried every sort for component disabling, website and directory excluding I can think of.

Nothing but unistalling the Endpoint software helps.

Windows7 IE11 seems to be the culprit on multiple machines. 

They say IE10 was not an issue.

Endpoint 10.6.3 and the 10.6.4 preview.

 



This thread was automatically locked due to age.
Parents
  • I guess this runs in the browser? If so, have you tried preventing the Sophos detours DLL being loaded by iexplore.exe?

    The quick way would be to close IE, open Regedit and set:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    LoadAppInit_DLLs = 0

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
    LoadAppInit_DLLs = 0

    This will ensure that both 32 and 64-bit processes don't get sophos_detoured_x64.dll/sophos_detoured.dll loaded into them as they start.

    Note: This will stop all DLLs in the AppInit_DLLs value (same key as above) from loading into processes.  Maybe you have some in that list you need from other software? In which case, rather than disabling all, you could remove the Sophos DLL from the AppInit_DLLs value.

    You can confirm with Process Explorer (technet.microsoft.com/.../processexplorer.aspx) that the Sophos DLL is no longer loaded into the process using the lower pane.

    Do you see the issue now?

    The other Sophos modules that could be loaded are those belonging to the Sophos Web Intelligence and Control features..

    On Windows 7, the web protection and web control features require a Layered Service Provider (LSP) and filter dll (filter is only loaded by browser processes, the LSP is loaded by all processes using Winsock) to be loaded into the browser process in order to setup a local proxy. 

    If you disable the 2 Web Protection features: Content Scanning and malicious download scanning and then also disable Web control, then the LSP will be removed by the Sophos WebIntelligence update service on the next restart.  This way, process that call Winsock will not load the LSP.

    You may want to run:
    netsh winsock show catalog > cat.txt
    To see the Sophos entry before and then removed after.

    Again you can use Process Explorer to check that the LSP and filter DLL are no longer loaded in the iexplore.exe process.

    I hope eliminating one of these 2 features helps to narrow it down.

    Regards,

    Jak

     

  • Thanks.

    Setting the LoadAppInit_DLLs = 0 seems to have helped.

    I undid all the other adjustments I've made and I'm waiting for the user to try again.

  • OK. That would suggest that the Sophos detours DLL could be the issue.

    I would suggest to do as follows with detours back loaded again and the issue happening:

    1. Download Procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx.

    2. In an administrative command prompt run:

    procdump -ma -h -w iexplore.exe C:\windows\temp\iexplore.dmp

    3. Next time iexplore.exe hangs, hopefully you'll have a dump of the process in the hung state written to C:\windows\temp\iexplore.dmp.

    4. The threads that have detours on the stack would be interesting to see.  Maybe submit that to Support.

    Regards,
    Jak

     

  • She's testing now, and my bet is on her not hanging.

    There are other users that need to be addressed once I settle on a resolution.

    I will try this on one of them.

  • Multiple processes match the specified name.

  • OK, maybe wait until iexplore.exe hangs and then use:

    procdump -ma 1234 C:\windows\temp\iexplore.dmp

    where: 1234 is the PID of the iexplore.exe process that has hung.  

    I would suggest using Process Explorer https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx to understand which iexplore.exe process has hung in order to get the PID.

    You can drag the cross-hairs graphic of Process Explorer onto the IE window to highlight the process and get the PID.  
    You can also add the Window title to the Process Explorer view which may also help identify the hung process.

    Other than that I suppose you could create a dump of each.

     

     

     

     

  • Thanks.

    I used right-click in the process viewer to create the dump.

    You want to see it?

    I  still have not heard back from support@sophos.com

Reply Children
  • I'll take a quick look if you want to make it available.  It may require symbols to know exactly what the Sophos modules are doing (where loaded) but I can check what the Microsoft modules are up to.

     

  • Has anyone heard an update on this issue with Sophos and IE?

    We are seeing this affecting many users that unfortunately need to use IE for certain websites that only are supported on IE (That is a whole other issue I wish I could solve...) Has Sophos made a fix for this, or have a plan to?

    We are currently on the full Sophos Suite, and Endpoint Advanced 10.8.1.2 and Intercept X 2.0.3

  • Old thread, but for me it seems to be back on a customer system (Terminal Server environment based on Windows Server 2012 R2).

    After installing Sophos Central Server protection a business related ActiveX control started to crash even with all protection features disabled for troubleshooting.

    Finally (after finding this thread) setting the value LoadAppInit_DLLs to 0 solved the crash issue.

    The same component on a Windows 7 client with Sophos Central Endpoint protection does not crash.

    Best greetings from Germany
    Olaf

  • Do you have a dump to share?  

    Out of interest, if you close all IE processes, create the reg key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MEMPROTECT_MODE

    Under that create a DWORD called:

    iexplore.exe

    set the value to 0.

    You may also need to create the same FEATURE_MEMPROTECT_MODE reg key under the native key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\

    Do you see the issue with the Sophos DLL loaded again?

    I suspect you could also set it under:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE
    and
    HKEY_CURRENT_USER\Software\wow6432node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE

    to configure this on a user rather than computer basis.

    Interested to know if this helps.

    Regards,

    Jak

  • Hi Jak,

    I cannot make dumps from machines belonging to our customers available in the Internet (data protection regulations).

    Tried the key you mentioned and the crash is still there with the iexplore.exe values added and the Sophos DLL loaded.

    Best greetings from Germany
    Olaf