Chrome declares Sophos Anti-Virus as incompatible application

Is anyone else having Chrome report "Sophos Anti-Virus" as an incompatible application after a crash and do Sophos have any plans to address the issue?

A good write-up of the issue can be found here:

https://www.bleepingcomputer.com/news/google/google-chrome-showing-alerts-about-incompatible-applications/

 

Thanks,

Michael

  • Hi Michael Gilmour,

    According to the article that you posted:

    "When it comes to security software, I would think more people would prefer to have a fully functional antivirus software on their computer with occasional browser crashes, rather than no protection at all. Therefore, if Chrome is displaying your antivirus software as an incompatible application, I suggest you ignore the warning for now."

    I'd like to gather additional information so that we can better assist you:

    What's the exact Sophos version installed (and are there any other Sophos products in place?)
    What's the Chrome version?
    What's your OS? 
    You mentioned a crash, what crashed? Chrome? Sophos? Do you have any dmp files or crash files that we can review?
    Are there any addons involved?
    Are all of your machines presenting this behavior?

    Regards,

  • Depending on the OS and the features enabled there will be a number of modules injected into the Chrome.exe process by default.  These can be seen by using a tool such as Process Explorer.

    1. sophos_detoured_x64.dll / sophos_detoured.dll
    This DLL is a "AppInit_DLLs" for Data Control and BOPS depending on the version of SAV installed.
    https://support.microsoft.com/en-gb/help/197571/working-with-the-appinit-dlls-registry-value 

    2. hmpalert.dll 
    This DLL is injected into processes by the HMPA service for exploit mitigation.

    3. swi_filter_64.dll / swi_filter.dll and swi_ifslsp_64.dll / swi_ifslsp.dll
    If you are using Windows 7 / 2008R2 and have Web Protection or Web Control functionality enabled then a Layered Service Provider (LSP) is installed in the system.  As the LSP is referenced in the Winsock Catalog the Chrome.exe process will load this module and the associated filter dll.  This is to perform in process filtering of web traffic.
    On Windows 8.1/Windows 10, etc.. this is performed out of process so no module is loaded into Chrome.

    So what OS and the features you have enabled/installed are important here.

    Regards,
    Jak

  • In reply to Barb@Sophos:

    Thanks Barb & Jak,

     

    we've only had one report of this so far, by a colleague, so it may be going unreported elsewhere. I notice the Chrome dev mentioned in the original linked article suggests "this feature is currently considered experimental so not all users will see these warnings" which might explain why I'm unable to replicate it.

     

    The particular incident was seen after Chrome crashed and was relaunched in the following environment:

    Windows 10 x64 1709

    Chrome x64 v68.0.3440.106

    Sophos SEC 10.8

    Web protection enabled

    Sophos EXP (HMPA) enabled

     

    The original article makes it clear why the behaviour is being seen and suggests it may not even be Sophos that had caused the crash in the first place but my concern is that Sophos is taking the rap and is being suggested to be uninstalled (luckily our users don't have the rights to do that).

     

    My next concern is the statement that the Chrome dev makes is that rather a warning, the actual behaviour will be blocked in a future version of Chrome. When this happens will we have all the same AV functionality in Chrome that we do now or will some protections be lost?

     

    Note, the note at the bottom of the following article suggests that the blocking (rather than warning) behaviour may have already started (with Chrome 69) : blog.chromium.org/.../reducing-chrome-crashes-caused-by-third.html

    "Updated 2018-06-21: Third-party software will be blocked from injecting code into Chrome on Windows starting in Chrome 69."

     

    As long as Sophos have things in hand with Chrome that's fine, I just wanted to check that they do as information on the issue/behaviour seems a bit sparse. If you would like me to raise a support call I will but am currently unable to replicate.

     

    Thanks again,

    Michael

  • Hi Michael Gilmour,

    This is something that needs to be checked with Chrome as Sophos is behaving as expected injecting into chrome to monitor malicious activity. The following thread provides additional insight on the alert that you are seeing and the Chrome Dev has explained it in brief. At this point of time Chrome is just alerting the applications that are trying to inject into chrome and it doesn't block, so there is no degradation on the level of protection that we offer.

    Chrome -Incompatible applications alert

  • In reply to Gowtham Mani:

    Hello

    We have many crash problems with Sophos Web Filtering and Chrome v71, only for local hosted site.

    very very slow... and after a few minutes, crash and no answer, no way to restart Chrome.

    W10 / Sophos 10.8 / Triton Endpoint

    We stopped the "Sophos Web Filter" (system name: swi_filter) and no more problem, so do you know about a known issue ?

    thanks

  • In reply to jean-philippe CLERC:

    What if you uninstall Triton EP but leave Sophos Web Protection functioning, does that work?

  • In reply to jean-philippe CLERC:

    Hi  

    I am not aware of any known issues that match the scenario that you have reported. However, we did have Sophos Intercept X/Exploit Prevention having compatibility issues with Triton DLP.

    Forcepoint DLP (formally Websense TRITON AP-DATA) is incompatible with Sophos Intercept X / Exploit Prevention

    Can you try removing Trition Endpoint and check if the issue is still seen?  if yes, I would suggest you to contact our support to have this investigated.

  • In reply to Gowtham Mani:

    Hi   

    yes with removing Triton, no problem

    Forcepoint support confirmed having incompatibily issue with Sophos, and Chrome for navigator, testing actually to whitelist Sophos Component, 

    i keep you informed

    thanks