media player classic crashing to desktop (being blocked)

All of a sudden this am, a few of my users are reporting that media player classic is crashing to desktop. Sure enough when i try it on their machines its true. temporarily disabling sophos endpoint, and media player classic is working fine.


There is nothing in the logs of the machine, or the event log on cloud.sophos.com (as normal, how hard is it to LOG when sophos DOES SOMETHING...) ffs...

Once i figure out wtf component is doing the blocking, im sure i can whitelist it somewhere. But this is damned annoying sophos... At least i just skip straight to disabling the virus scanner when these things happen because i KNOW if *** just randomly starts breaking whose fault it generally is...

  • seems like it was the component "exploit mitigation" which does not seem to have a policy.

     

    I have been able to work around this now by whitelisting using "exploit mitigation" ( https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/ep_exploitmitigationexclusions.html )

    basically go to settings -> global exclusions -> then add an exclusion  of type "exploit mitigation" and find the two media player classic items (32 and 64 bit) and create rules. Was pretty quickly solved after that.

     

    can we work towards not randomly banning mission critical applications please?

  • In reply to givemecontrol:

    Out of interest, what was in the Application event log, Event ID 911?

    Thanks.

  • In reply to jak:

    nope it manifested as a straight up crash, ID 1000 Application error

     

    Faulting application name: mpc-hc64.exe, version: 1.7.10.252, time stamp: 0x57800c12
    Faulting module name: ntdll.dll, version: 10.0.17763.592, time stamp: 0x0f1b8afd
    Exception code: 0xc0000005
    Fault offset: 0x000000000000f891
    Faulting process id: 0x2e1c
    Faulting application start time: 0x01d54c958c666f20
    Faulting application path: C:\Program Files (x86)\K-Lite Codec Pack\MPC-HC64\mpc-hc64.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
    Report Id: 0502082f-99e5-40d4-928f-1d54a21e8491
    Faulting package full name:
    Faulting package-relative application ID: 

     

    another example

     

    Faulting application name: mpc-hc64.exe, version: 1.7.10.252, time stamp: 0x57800c12
    Faulting module name: mpc-hc64.exe, version: 1.7.10.252, time stamp: 0x57800c12
    Exception code: 0xc000041d
    Fault offset: 0x00000000006351d8
    Faulting process id: 0x30ec
    Faulting application start time: 0x01d54c94d22ba5b4
    Faulting application path: C:\Program Files (x86)\K-Lite Codec Pack\MPC-HC64\mpc-hc64.exe
    Faulting module path: C:\Program Files (x86)\K-Lite Codec Pack\MPC-HC64\mpc-hc64.exe
    Report Id: bc0b6a69-3a47-45fb-8e2d-6c7a8ea534de
    Faulting package full name:
    Faulting package-relative application ID:

  • In reply to givemecontrol:

    Might be worth capturing a full process dump when it crashes.  I always perform the following steps:

    1. Create C:\dumps\
    2. Download procdump.exe from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump to that new directory.
    3. In a Admin prompt run:
      Procdump -ma -i C:\dumps
    4. Reproduce the problem and you should have at least 1 dump file under C:\dumps.
    5. Unregister procdump by running:
      procdump -u 

    Would you consider uploading the dump file?

    Regards,
    Jak

  • In reply to jak:

    yeah sorry i am understaffed and just fighting fires these days. I dont have time to do this. plus i have to break it again and i am not doing that. We use media player classic to listen to voicemails, as well as being the default audio player for the computer. So it affects many people when its not working.

    I am sure i am not the only one, so maybe the next hapless soul who runs across this can do your diagnostics.