This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@




[locked by: SupportFlo at 10:57 PM (GMT -8) on 8 Mar 2019]
  • We are seeing exactly the same problem.  Is there a fix for it?

  • Hi,

    Support will want a full memory dump of the process.  The simplest way to get one is as follows:

    1. Create the directory C:\dumps\

    2. Download Procdump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and save it to C:\dumps\

    3. Run in an admin prompt:
    procdump -ma -i C:\dumps

    4. Recreate the issue and you should have dump file create in C:\dumps\

    5. Run:
    procdump -u
    to unregister Procdump as the post-mortem debugger.

    Otherwise in the short term I would eliminate modules loaded into the iexplorer.exe process.  Maybe starting with hmpalert.dll to prove Sophos HMPA is related.

    For a 32-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\Windows\SysWOW64\
    For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\

    If you're not sure of the bitness of the crashing IE, process, if you rename both to say hmpalert.dll.ren and then start IE, does it crash? 

    With the DLL renamed, the HMPA driver will not inject the DLL into the process.

    Beyond that, it could be a conflict with another 3rd party module loaded into IE.  Process Explorer is a very useful tool to see the list of modules loaded into a process. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer I would remove the modules one at a time to see if there is a combination where the issues goes away.

    Regards,

    Jak

  • Hey Jak,

     

    Renaming the DLL file (For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\)  seems to have worked, we are going to keep testing for the rest of the day.

     

    I already have 8GB of dumps logged so I am uploading these to one drive to share with you.

     

    Before today, all I had to do was open internet explorer and it would crash trying to open the home page. It would also crash so much afterwards that it became unusable so we moved to firefox.

     

    Today I have opened IE with no issues and opened several tabs with no issues, I will try using this today and update you if there is a crash (I am still logging the dump files).

     

    Thank you!

    N@

  • Hey Jak,

     

    Renaming the .DLL on three different machines (different models) with 3 different users has stopped IE from crashing as we have tested it this morning.

     

    Here are my dumps from my earlier testing where I was still attempting to use IE and it was crashing (with the hmpalert.dll in place):

    https://1drv.ms/f/s!An6BH0lO0u-G9xj6WaL8jAipO5tn

     

    Let me know if you need anything else?

     

    Thank you

    Natalie

  • OK, good to know. 

    I would suggest the next test is to put the DLL back, then in Sophos Central, in the Threat Protection policy that is applied to user/computer disable the option:

    "Mitigate exploits in vulnerable applications" - "Protect web browsers"
     
    Does this prevent the issue also?
     
    If it still occurs, maybe disable the whole section.

    Beyond that we can look into enabling and disabling specific mitigations in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\ that apply specifically to browsers or global mitigations.

    Note: when toggling registry keys, rather than setting via policy you have to restart the "HitmanPro.Alert service".

    I also assume that if you disable mitigations in IE specifically.  Which you can do via this page: 
    Does that also work, I assume so if disabling the above option does.

    Regards,

    Jak
  • Hello everyone

     

    We're facing the same problem here. After installing W10 1709 it happened even more often.

    Turning off "Protect web browsers" seems to solve this problem. (but opens a security gap)

     

    While testing with and without Intercept X we also found out, that starting up the PC is massively faster without Intercept X.

    For Example:

    Pressing enter after entering the logon-password takes 7 sec without Intercept X and 88 sec with InterceptX enabled. Also loading programs in startup is very much faster without Intercept X.

    Looking back, I think slowing down got even worse after installing Windows Updates 2018-01.

     

    Maybe some other users here are experiencing the same...

     

    Regards

    Benny

  • Before Jak's latest reply I tested things while I was waiting and I think my machine might indicate the same...

     

    Time recorded between entering the password and logging in to the Disk in task manager not being 100%

    (please be aware that the length of these logins may also be affected by the amount of other software I also run so I am only looking at the time difference.)

     

    With Sophos Intercept X installed - 4:32

    I removed Sophos, rebooted the machine to complete the uninstall and then rebooted again

    1st fresh boot - 2:35

    3rd boot - 3:36

    4th boot - 3:20

     

    The disk being at 100% is an issue we have on all three of the laptops I am testing on, and this remained after the removal of Sophos. Due to the timing of when we started to install Sophos I couldn't be sure what Sophos was repsonsible for.

    Sophos definitely seems to slow the login and has affected Internet Explorer but I beleive that something else is causing overal slowness of the machines and the 100% disk usage. This would correlate with the issues starting in January and I also wondered if it was part of the measures put in place to protect the Intel Processors etc which are in the news because of them being a security risk...

     

    Food for thought....

  • If turning off the Protection of Web apps helps: What about turning it back on and then testing a few of the specific mitigations that apply to browsers.

    E.g. Close the browser and stop the "HitmanPro.Alert service".  Then under:

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers

    Maybe disable them all (set to 0) then start the "HitmanPro.Alert service".  Presumably no issue.

    Can you maybe narrow it down to a specific mitigation?  I guess it could be a combination but one at a time would be a start.  I would suggest closing and reopening the browser between each test and you will have to restart the HMPA service for it to pick up the change.

    Regards,

    Jak

  • Can you test disabling "CPU Branch Tracing" within your central threat protection policy and let me know if this also resolves the issue for your users?

  • Can you test disabling "CPU Branch Tracing" within your central threat protection policy and let me know if this also resolves the issue for your users?

     

     

    We don't seem to have this option?