Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@

  • We are seeing exactly the same problem.  Is there a fix for it?

  • In reply to SimonAdams:

    Hi,

    Support will want a full memory dump of the process.  The simplest way to get one is as follows:

    1. Create the directory C:\dumps\

    2. Download Procdump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and save it to C:\dumps\

    3. Run in an admin prompt:
    procdump -ma -i C:\dumps

    4. Recreate the issue and you should have dump file create in C:\dumps\

    5. Run:
    procdump -u
    to unregister Procdump as the post-mortem debugger.

    Otherwise in the short term I would eliminate modules loaded into the iexplorer.exe process.  Maybe starting with hmpalert.dll to prove Sophos HMPA is related.

    For a 32-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\Windows\SysWOW64\
    For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\

    If you're not sure of the bitness of the crashing IE, process, if you rename both to say hmpalert.dll.ren and then start IE, does it crash? 

    With the DLL renamed, the HMPA driver will not inject the DLL into the process.

    Beyond that, it could be a conflict with another 3rd party module loaded into IE.  Process Explorer is a very useful tool to see the list of modules loaded into a process. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer I would remove the modules one at a time to see if there is a combination where the issues goes away.

    Regards,

    Jak

  • In reply to jak:

    Hey Jak,

     

    Renaming the DLL file (For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\)  seems to have worked, we are going to keep testing for the rest of the day.

     

    I already have 8GB of dumps logged so I am uploading these to one drive to share with you.

     

    Before today, all I had to do was open internet explorer and it would crash trying to open the home page. It would also crash so much afterwards that it became unusable so we moved to firefox.

     

    Today I have opened IE with no issues and opened several tabs with no issues, I will try using this today and update you if there is a crash (I am still logging the dump files).

     

    Thank you!

    N@

  • In reply to jak:

    Hey Jak,

     

    Renaming the .DLL on three different machines (different models) with 3 different users has stopped IE from crashing as we have tested it this morning.

     

    Here are my dumps from my earlier testing where I was still attempting to use IE and it was crashing (with the hmpalert.dll in place):

    https://1drv.ms/f/s!An6BH0lO0u-G9xj6WaL8jAipO5tn

     

    Let me know if you need anything else?

     

    Thank you

    Natalie

  • In reply to Natalie Evans:

    OK, good to know. 

    I would suggest the next test is to put the DLL back, then in Sophos Central, in the Threat Protection policy that is applied to user/computer disable the option:

    "Mitigate exploits in vulnerable applications" - "Protect web browsers"
     
    Does this prevent the issue also?
     
    If it still occurs, maybe disable the whole section.

    Beyond that we can look into enabling and disabling specific mitigations in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\ that apply specifically to browsers or global mitigations.

    Note: when toggling registry keys, rather than setting via policy you have to restart the "HitmanPro.Alert service".

    I also assume that if you disable mitigations in IE specifically.  Which you can do via this page: 
    Does that also work, I assume so if disabling the above option does.

    Regards,

    Jak
  • In reply to jak:

    Hello everyone

     

    We're facing the same problem here. After installing W10 1709 it happened even more often.

    Turning off "Protect web browsers" seems to solve this problem. (but opens a security gap)

     

    While testing with and without Intercept X we also found out, that starting up the PC is massively faster without Intercept X.

    For Example:

    Pressing enter after entering the logon-password takes 7 sec without Intercept X and 88 sec with InterceptX enabled. Also loading programs in startup is very much faster without Intercept X.

    Looking back, I think slowing down got even worse after installing Windows Updates 2018-01.

     

    Maybe some other users here are experiencing the same...

     

    Regards

    Benny

  • In reply to Stefan Burri:

    Before Jak's latest reply I tested things while I was waiting and I think my machine might indicate the same...

     

    Time recorded between entering the password and logging in to the Disk in task manager not being 100%

    (please be aware that the length of these logins may also be affected by the amount of other software I also run so I am only looking at the time difference.)

     

    With Sophos Intercept X installed - 4:32

    I removed Sophos, rebooted the machine to complete the uninstall and then rebooted again

    1st fresh boot - 2:35

    3rd boot - 3:36

    4th boot - 3:20

     

    The disk being at 100% is an issue we have on all three of the laptops I am testing on, and this remained after the removal of Sophos. Due to the timing of when we started to install Sophos I couldn't be sure what Sophos was repsonsible for.

    Sophos definitely seems to slow the login and has affected Internet Explorer but I beleive that something else is causing overal slowness of the machines and the 100% disk usage. This would correlate with the issues starting in January and I also wondered if it was part of the measures put in place to protect the Intel Processors etc which are in the news because of them being a security risk...

     

    Food for thought....

  • In reply to Natalie Evans:

    If turning off the Protection of Web apps helps: What about turning it back on and then testing a few of the specific mitigations that apply to browsers.

    E.g. Close the browser and stop the "HitmanPro.Alert service".  Then under:

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers

    Maybe disable them all (set to 0) then start the "HitmanPro.Alert service".  Presumably no issue.

    Can you maybe narrow it down to a specific mitigation?  I guess it could be a combination but one at a time would be a start.  I would suggest closing and reopening the browser between each test and you will have to restart the HMPA service for it to pick up the change.

    Regards,

    Jak

  • Can you test disabling "CPU Branch Tracing" within your central threat protection policy and let me know if this also resolves the issue for your users?

  • In reply to WomboCombo:

    WomboCombo

    Can you test disabling "CPU Branch Tracing" within your central threat protection policy and let me know if this also resolves the issue for your users?

     

     

    We don't seem to have this option?

  • In reply to SimonAdams:

    I've had the issue described in this thread since Nov, 2017, when our company first started using Sophos Central and InterceptX.  I've had a case open for a couple months now.  IE crashes on Win 10 systems so frequently it's almost unusable. 

    At the current time, a reliable workaround for us is to disable "Shockwave Flash Object" in IE.  With that disabled, I'm able to use IE successfully without disabling any Sophos components.  I'm curious if this will work for others.  I've only done it on some test PCs so far.

  • In reply to David Fosbenner:

    We also have been experiencing the same issue since migrated to Sophos Central and InterceptX.  I implemented the Shockwave Flash change on a test group but have seen a couple of failures since although the rate has been much lower.  We have a call open with Sophos but have not had any meaningful advise or feedback so far. 

    I will look to implemenet the rename of the hmpralert.dll and see if this has any impact. 

    Kevin

  • In reply to kevin Whiteman:

    kevin Whiteman

    We also have been experiencing the same issue since migrated to Sophos Central and InterceptX.  I implemented the Shockwave Flash change on a test group but have seen a couple of failures since although the rate has been much lower.  We have a call open with Sophos but have not had any meaningful advise or feedback so far. 

    I will look to implemenet the rename of the hmpralert.dll and see if this has any impact. 

    Kevin

     

     

    Yes, we rolled this out as a Group Policy.  While it does seem to be a bit better, Internet Explorer is still crashing.  Did renaming the DLL make any difference?

  • In reply to SimonAdams:

    Disabling InterceptX will prevent the IE crashes in Win 10.  Renaming the DLL for Hitman Pro Alert is one way, but you have to do that at the client.  Here's a way to disable InterceptX in the console for only the clients you choose:

    • On the left side menu in the console, under Manage Protection, click Computers
    • On the right at top, click the Manage Endpoint Software button
    • In the window that pops up, under Software List, click "Intercept X"
    • Move any computers from the Assigned Computers group to the Eligible Computers group.
    • Save and close the window.
    • Once the clients grab this update, InterceptX will be disabled.  I believe they will want to reboot anytime this is disabled/enabled.

    Obviously disabled InterceptX is not something we want to do, but if disabling Shockwave Flash isn't enough of a work around, this is an option until we have a final solution. 

    I am very unhappy with Sophos support on this and other issues.  Communication from them is very infrequent.  I've had to ask the same questions 2 & 3 times before getting answers.  The were unwilling to own this issue in the beginning, hinting "no one else is reporting this issue."  They have asked me to do testing, generate logs, dumps, even this week asking for more dumps.  This is very time consuming.  It should be very simple for them to test and generate these in-house.  None of the issues I raised over the last 2+ months have resolution, the only workarounds have been to disable components.  I've never had such an unsatisfactory support experience with a software vendor.

     

     

     

  • In reply to David Fosbenner:

    David Fosbenner

    Disabling InterceptX will prevent the IE crashes in Win 10.  Renaming the DLL for Hitman Pro Alert is one way, but you have to do that at the client.  Here's a way to disable InterceptX in the console for only the clients you choose:

    • On the left side menu in the console, under Manage Protection, click Computers
    • On the right at top, click the Manage Endpoint Software button
    • In the window that pops up, under Software List, click "Intercept X"
    • Move any computers from the Assigned Computers group to the Eligible Computers group.
    • Save and close the window.
    • Once the clients grab this update, InterceptX will be disabled.  I believe they will want to reboot anytime this is disabled/enabled.

    Obviously disabled InterceptX is not something we want to do, but if disabling Shockwave Flash isn't enough of a work around, this is an option until we have a final solution. 

    I am very unhappy with Sophos support on this and other issues.  Communication from them is very infrequent.  I've had to ask the same questions 2 & 3 times before getting answers.  The were unwilling to own this issue in the beginning, hinting "no one else is reporting this issue."  They have asked me to do testing, generate logs, dumps, even this week asking for more dumps.  This is very time consuming.  It should be very simple for them to test and generate these in-house.  None of the issues I raised over the last 2+ months have resolution, the only workarounds have been to disable components.  I've never had such an unsatisfactory support experience with a software vendor.

     

     

     

     

     

    I don't think you are the only one frustrated by Sophos support or lack of!