Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 35808 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Conflict between Excel 2016, Word 2016 and Intercept X (Office 365)

JoeStern

We are running Office 365 on Windows 10 1703. As you may know, Office 365 updates frequently. Some users today were unable to launch Excel or Word after an update, and the only fix was to uninstall Intercept X. 

I was surprised that there is nothing recent about this in the forum. I would have guessed it was more common, considering it is happening to multiple users in my organization.

There are no Hitman.Pro logs. No events appear in the client nor the Central console. Repairing Office does not help.

Is anyone else in this boat with me? I have opened a ticket with Sophos.

EDIT: Since I posted this back in June, I have been able to add the Office applications to the mitigation exclusion list. This has prevented recurrence of the problem, although I wonder what security features I am sacrificing by excluding all the Office programs.



This thread was automatically locked due to age.
Parents
  • 0

    We have the same issue.  Endpoint Advanced with the exploit prevention DISABLED and it is still mucking things up.  Removing (uninstall) of the exploit prevention piece is the only thing that fixes it, and fixes it right away.

    One difference (a slight technical one) is that we are using office 2016 and 2013.  This seems to happen mostly on Windows 7 systems for us as well.

  • 0 in reply to DennisAston

    I suppose there are 2 things to try to help narrow it down:

    1. Close the Office applications/terminate the processes.

    2. Temporarily rename the hmpalert.dll file to say hmpalert.dll.rename.  
    Note: For 32-bit processes on a 64-bit computer this would be the one under: C:\windows\syswow64\. For 64-bit processes on 64-bit or 32-bit processes on 32-bit the one under C:\windows\system32\.

    3. Relaunch the applications, this will prevent the hmpalert.dll module being injected into the processes.

    Note: You can compare this behaviour of the loaded modules with Process Explorer. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

    If this still fails, with the module not loaded: The next step would be to rename the hmpalert.sys driver (\windows\system32\drivers\), reboot.  The driver is responsible, for injecting the hmpalert.dll into the processes.

    This distinction would be helpful.

    Regards,

    Jak

  • 0 in reply to jak

    I edited my post to describe the fix that helped us resume normal operations.

  • 0 in reply to JoeStern

    Thanks, that's not a great long term fix.

    If you look in the registry of the client - HKLM\Software\HitmanPro.Alert\ You have all the applications picked up, e.g. Java.exe, firefox.exe.  If you select one, you can see the mitigation profile applied.  So for Firefox it should be "Browsers", Java.exe would be "Java", Excel.exe would be "Office" etc...

    If you exclude an application under: https://cloud.sophos.com/manage/config/settings/exploit-mitigation-exclusions then your essentially changing the profile for the application to be "Exclude".  If you look under the _profiles_ sub-key you can see what mitigations are enabled for each of these profiles.  In the case of "Exclude", al mitigations are set to 0.  

    As a test, to see which mitigation might be causing an issue with an application, in this case a process classified as "Office".  You can go into the HKLM\Software\HitmanPro.Alert\_profiles_\Office key and toggle the mitigations on the right to 0|1 where 0 is off and 1 is on.  You can then restart the "HitmanPro.Alert service" and this will be the config.  You do need to restart the service when making local changes in the registry.

    It maybe that a specific mitigation is the cause of the issue.  Passing this info to Support should help.  

    Regards,

    Jak

Reply
  • 0 in reply to JoeStern

    Thanks, that's not a great long term fix.

    If you look in the registry of the client - HKLM\Software\HitmanPro.Alert\ You have all the applications picked up, e.g. Java.exe, firefox.exe.  If you select one, you can see the mitigation profile applied.  So for Firefox it should be "Browsers", Java.exe would be "Java", Excel.exe would be "Office" etc...

    If you exclude an application under: https://cloud.sophos.com/manage/config/settings/exploit-mitigation-exclusions then your essentially changing the profile for the application to be "Exclude".  If you look under the _profiles_ sub-key you can see what mitigations are enabled for each of these profiles.  In the case of "Exclude", al mitigations are set to 0.  

    As a test, to see which mitigation might be causing an issue with an application, in this case a process classified as "Office".  You can go into the HKLM\Software\HitmanPro.Alert\_profiles_\Office key and toggle the mitigations on the right to 0|1 where 0 is off and 1 is on.  You can then restart the "HitmanPro.Alert service" and this will be the config.  You do need to restart the service when making local changes in the registry.

    It maybe that a specific mitigation is the cause of the issue.  Passing this info to Support should help.  

    Regards,

    Jak

Children
No Data
Unfiltered HTML