Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 72 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 650781 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an issue with Sophos Intercept X and Internet Explorer 11?

Natalie Evans

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@




[locked by: SupportFlo at 10:57 PM (GMT -8) on 8 Mar 2019]
Parents
  • 0

    We are seeing exactly the same problem.  Is there a fix for it?

  • 0 in reply to SimonAdams

    Hi,

    Support will want a full memory dump of the process.  The simplest way to get one is as follows:

    1. Create the directory C:\dumps\

    2. Download Procdump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and save it to C:\dumps\

    3. Run in an admin prompt:
    procdump -ma -i C:\dumps

    4. Recreate the issue and you should have dump file create in C:\dumps\

    5. Run:
    procdump -u
    to unregister Procdump as the post-mortem debugger.

    Otherwise in the short term I would eliminate modules loaded into the iexplorer.exe process.  Maybe starting with hmpalert.dll to prove Sophos HMPA is related.

    For a 32-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\Windows\SysWOW64\
    For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\

    If you're not sure of the bitness of the crashing IE, process, if you rename both to say hmpalert.dll.ren and then start IE, does it crash? 

    With the DLL renamed, the HMPA driver will not inject the DLL into the process.

    Beyond that, it could be a conflict with another 3rd party module loaded into IE.  Process Explorer is a very useful tool to see the list of modules loaded into a process. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer I would remove the modules one at a time to see if there is a combination where the issues goes away.

    Regards,

    Jak

  • 0 in reply to jak

    Hey Jak,

     

    Renaming the DLL file (For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\)  seems to have worked, we are going to keep testing for the rest of the day.

     

    I already have 8GB of dumps logged so I am uploading these to one drive to share with you.

     

    Before today, all I had to do was open internet explorer and it would crash trying to open the home page. It would also crash so much afterwards that it became unusable so we moved to firefox.

     

    Today I have opened IE with no issues and opened several tabs with no issues, I will try using this today and update you if there is a crash (I am still logging the dump files).

     

    Thank you!

    N@

Reply
  • 0 in reply to jak

    Hey Jak,

     

    Renaming the DLL file (For a 64-bit process on a 64-bit OS, hmpalert.dll will be injected from C:\windows\system32\)  seems to have worked, we are going to keep testing for the rest of the day.

     

    I already have 8GB of dumps logged so I am uploading these to one drive to share with you.

     

    Before today, all I had to do was open internet explorer and it would crash trying to open the home page. It would also crash so much afterwards that it became unusable so we moved to firefox.

     

    Today I have opened IE with no issues and opened several tabs with no issues, I will try using this today and update you if there is a crash (I am still logging the dump files).

     

    Thank you!

    N@

Children
No Data
Unfiltered HTML