Intercept-X on Windows 7 x64 crashes Excel and Winword 2016

On a client's Win7 machine the installation of Intercept-x (with Sophos Endpoint Agent 11.5.3) crashes Excel and Winword 2016 (Office 365 16.0.7678.2074).

Eventlog (sorry German...):

Name der fehlerhaften Anwendung: EXCEL.EXE, Version: 16.0.7668.2074, Zeitstempel: 0x588df37c
Name des fehlerhaften Moduls: mso20win32client.dll, Version: 0.0.0.0, Zeitstempel: 0x588d4641
Ausnahmecode: 0x0004e453
Fehleroffset: 0x000fd3a8
ID des fehlerhaften Prozesses: 0x166c
Startzeit der fehlerhaften Anwendung: 0x01d2831bdaf22978
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Pfad des fehlerhaften Moduls: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll
Berichtskennung: 18d3b813-ef0f-11e6-8858-3417ebccf615

 

After uninstalling Intercept-X Excel and Winword work fine again.

Has anybody else this problem or a solution?

  • The steps I would take would be:

    1. For the users/computers with the issue, go into:

    https://cloud.sophos.com/manage/config/settings/exploit-mitigation-exclusions 

    Click "Add Exclusion", choose the application from the list.

    Does this prevent the problem?  If so at least users can get on with their work while investigating on a test computer.

    2.For a computer to troubleshoot on, open the policy applied to the user of the test computer, creating a new one if needed and go into the "Threat Protection" part of the policy. In the "Runtime Protection" section. Turn off "Mitigate exploits in vulnerable applications".

    Do you still see the issue?  If no, then the issue is caused by an Exploit mitigation. if yes, then try disabling "Protect processes", then try "Protect document files from ransomware (CryptoGuard)".

    Hopefully you can narrow it down to being one of the following features:

    Protect document files from ransomware (CryptoGuard)
    Mitigate exploits in vulnerable applications
    Protect processes
    Armed with this information you can look to remove the global exclusion and change the "Threat Protection" policy accordingly for other users so they get some protection back in Word.

    If you find it's the "Mitigate exploits in vulnerable applications", it's possible to disable the mitigations one at a time in the registry to understand things further.

    Hopefully this is helpful initially.

    Regards,
    Jak

  • In reply to jak:

    Hi Jak,

     

    thank you for your advices!

    Actualy we have no luck!

    I tried almost al of your suggestions. Still the same problem. At the end I even stopped all sophos services on the client machine. Still the same problem!

     

    Regards

    Markus

  • In reply to Markus Kleinlercher:

    The only thin I can think of to prove it's the HMPA component would be to disable the hmpalert.sys driver and reboot:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert

    Change Start from 3 (on demand) to 4 (disable) and reboot.

    Beyond that, I would suggest to get procdump.exe - https://technet.microsoft.com/en-gb/sysinternals/dd996900.aspx.
    In a admin command prompt with procdump.exe in the path, run:

    mkdir C:\dumps
    procdump -ma -i c:\dumps

    Reproduce the issue and you should get a full dump of Excel in the dumps directory.  I would send this to Support with an SDU file (community.sophos.com/.../33533).

    Once done, you can uninstall Procdump as the default debugger running:

    procdump -u

    It might be worth getting a few dumps (and SDU logs) even from different computers to prove it's the same issue.

    Regards,

    Jak

  • Dear Sirs,

    We have received a malfunction report from an institutional sphere user: a few of their computers refuse to open the Microsoft Word, Excel and Adobe Acrobat Reader applications, as long as Sophos Intercept X is active. (It is not necessary to open any office documents, like .docx, .xls or .pdf, the above mentioned applications won't even start in themselves.)

    The problem is apparently caused by an "Exploit SysCall" alert, according to "Root Cause Analysis" tab in the "www.cloud.sophos.com" webportal. (The user sent us some low-res screenshots to illustrate the problem.)

    Please suggest a solution to this issue?

    Thanks in advance, Yours Sincerely:
    Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

     

    ********************

  • I've had a similar issue with Office 2013.  The way I have gotten around it for now is to uncheck the "Use recommended settings" option in the base policy.  From there, I was then able to scroll down and uncheck the option to "Protect office applications."  After applying the policy, and updating the client, Word and Excel would launch fine.

     

    This isn't the way I want to leave things.  What could we be missing that is causing Office applications to crash?

  • In reply to MatthewShafer:

    MatthewShafer

    I've had a similar issue with Office 2013.  The way I have gotten around it for now is to uncheck the "Use recommended settings" option in the base policy.  From there, I was then able to scroll down and uncheck the option to "Protect office applications."  After applying the policy, and updating the client, Word and Excel would launch fine.

     

    This isn't the way I want to leave things.  What could we be missing that is causing Office applications to crash?

     

     

    Matthew, you are a lifesaver.  We had the exact same issue going on, and this fixed the issue.  I hope Sophos takes note, so we can get this working correctly.