Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@

  • I've given the definition of insanity a run for its money trying to get to the bottom of this same issue also.

    Our EMR will only run in IE due to high dependency on ActiveX.

    Anytime Microsoft pushed out significant updates to Win10, I would have to reconfigure the internet security options under trusted sites on those workstations browsers. 

    Recently, IE would just trigger a message (Internet Explorer has stopped working) - and I have spent at least 10 hours since the new year trying every trick I know to get our users running stable. 

    Finally, when parsing through event logs I noticed a common trend in that C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE & C:\WINDOWS\system32\dinput8.dll were common denominators and searched that string. I landed on the Microsoft TechNet discussion where almost everyone there had an additional common factor - they all use Sophos!

    We purchased licenses for Intercept X for a reason, and now the only work around is to disable that protection on Windows 10 workstations? The renaming of the hitman .dll - is that an alternative? What exactly needs to be done in that case?

     

  • In reply to John Culotta:

    "The renaming of the hitman .dll - is that an alternative?"

    John, the component "Hitman Pro Alert" is InterceptX.  So the DLL mentioned just prevents IX from loading.

    Support did mention DINPUT8.DLL to me when the examined my logs.  They were like "this is what's crashing, so it's a Microsoft issue."  OMG!!  No, it's a Sophos issue.

  • In reply to David Fosbenner:

    Thanks for that point of clarification David.

    I just removed one of the windows 10 workstations I had assigned Int X on via Managed Endpoint Software that was problematic, rebooted and shes running fine now - with no crashing issues.

     

     

    Its obviously not a Microsoft issue!

    I've added this to the list of topics to discuss with our account manager, account executive, sophos engineer, and upgrade/renewals staff @Sophos on our next review call. 

  • In reply to John Culotta:

    I'm waiting to hear back from the end-user, but I saw first hand IE crashing whenever he loaded it (I even had Shockwave disabled as well).  I thought maybe it was something to do with his home page which was MSN (Lenovo) so I changed it to Google and IE didn't crash when opening.  Had him access his main sites and everything was working.

    If it continues to work (which I'll report back on), maybe check to see what home page the user has. 

  • In reply to Breakingcustom:

    If anyone has any dumps of the iexplorer.exe process from the crashes, having installed procdump as per my previous post on this thread, can you install Windbg either from the SDK or even Windbg Preview from the Microsoft Store.  After doing so can you paste the contents of running the command:
    !analyze -v
    It will be interesting to see if everyone is seeing the same error.

    Regards,
    Jak



  • In reply to jak:

    I'm experiencing the same issue described here.  IE11 is crashing on any page that contains Flash.  I can produce it regularly by going to http://get.adobe.com/flashplayer/about/ and checking the version of Flash installed.  It does not crash every time but if I refresh 10 times it will crash maybe 6 or 7 of those. 

    Sophos Info

    • Core Agent: 11.5.11
    • Endpoint Advanced: 11.5.11
    • IX: 3.6.14

    IE Info

    • Version: 11.248.16299
    • Update Version: 11.0.51

    OS Info

    • OS: Win 10 Pro
    • Version: 10.0.16299

    Here are the contents from one of the dumps:

    *** ERROR: Symbol file could not be found. Defaulted to export symbols for ieframe.dll -
    *** ERROR: Module load completed but symbols could not be loaded for msIso.dll
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for mshtml.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for hmpalert.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for igdumdx32.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for jscript9.dll -
    GetUrlPageData2 (WinHttp) failed: 12002.

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT: (.ecxr)
    eax=6d174008 ebx=00000000 ecx=da54309d edx=00000000 esi=6d110000 edi=6d1163c0
    eip=6d14ca5d esp=097ef9fc ebp=097efa40 iopl=0 nv up ei pl nz na pe nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
    dinput8!__delayLoadHelper2+0x26c:
    6d14ca5d 8938 mov dword ptr [eax],edi ds:002b:6d174008={dinput8!_imp_load__CreateInputHostForProcess (6d14c266)}
    Resetting default scope

    FAULTING_IP:
    dinput8!__delayLoadHelper2+26c
    6d14ca5d 8938 mov dword ptr [eax],edi

    EXCEPTION_RECORD: (.exr -1)
    ExceptionAddress: 6d14ca5d (dinput8!__delayLoadHelper2+0x0000026c)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000001
    Parameter[1]: 6d174008
    Attempt to write to address 6d174008

    DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE

    PROCESS_NAME: iexplore.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 00000001

    EXCEPTION_PARAMETER2: 6d174008

    FOLLOWUP_IP:
    dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+d
    6d14c27d 5a pop edx

    WRITE_ADDRESS: 6d174008

    BUGCHECK_STR: INVALID_POINTER_WRITE

    WATSON_BKT_PROCSTAMP: 91f43e7

    WATSON_BKT_PROCVER: 11.0.16299.15

    PROCESS_VER_PRODUCT: Internet Explorer

    WATSON_BKT_MODULE: dinput8.dll

    WATSON_BKT_MODSTAMP: 536c18e7

    WATSON_BKT_MODOFFSET: ca5d

    WATSON_BKT_MODVER: 6.2.16299.15

    MODULE_VER_PRODUCT: Microsoft® Windows® Operating System

    BUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)

    MODLIST_WITH_TSCHKSUM_HASH: 881da541634c176d3d7437be2fe9556beea2da7e

    MODLIST_SHA1_HASH: 8b9abb1d3a91467a181199803a1d9050f6fd69d3

    NTGLOBALFLAG: 0

    APPLICATION_VERIFIER_FLAGS: 0

    PRODUCT_TYPE: 1

    SUITE_MASK: 272

    DUMP_FLAGS: 8000c07

    DUMP_TYPE: 0

    ANALYSIS_SESSION_HOST: FC0264

    ANALYSIS_SESSION_TIME: 02-13-2018 13:27:25.0587

    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

    THREAD_ATTRIBUTES:
    OS_LOCALE: ENU

    PROBLEM_CLASSES:

     

    INVALID_POINTER_WRITE
    Tid [0x2ac0]
    Frame [0x00]: dinput8!__delayLoadHelper2


    LAST_CONTROL_TRANSFER: from 6d14c27d to 6d14ca5d

    STACK_TEXT:
    097efa40 6d14c27d 6d165dcc 6d174008 05000000 dinput8!__delayLoadHelper2+0x26c
    097efa74 770acc4b 6d171210 00000000 00000000 dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+0xd
    097efaa0 76242f37 6d171210 6d14c3c0 00000000 ntdll!RtlRunOnceExecuteOnce+0x7b
    097efab8 6d14c3e4 6d171210 6d14c3c0 00000000 KERNELBASE!InitOnceExecuteOnce+0x17
    097efacc 77093470 00000000 d79f3b8c 00000000 dinput8!DllProcessDetach+0x106
    097efb54 77094059 097efc54 11916988 d79f3d98 ntdll!RtlpTpWorkCallback+0x120
    097efd40 76738654 00a707b0 76738630 d6f5c581 ntdll!TppWorkerThread+0x7d9
    097efd54 770c4a77 00a707b0 d79f3d44 00000000 kernel32!BaseThreadInitThunk+0x24
    097efd9c 770c4a47 ffffffff 770e9ed8 00000000 ntdll!__RtlUserThreadStart+0x2f
    097efdac 00000000 77093880 00a707b0 00000000 ntdll!_RtlUserThreadStart+0x1b


    THREAD_SHA1_HASH_MOD_FUNC: 990a82e415868202159e68f02f4a0fc8053dd098

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: be224ce181700857cc613a30669f2e05f7339859

    THREAD_SHA1_HASH_MOD: 252da8e44adbc7357ee3134979e659a2a5eb7a00

    FAULT_INSTR_CODE: e0ff595a

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+d

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: dinput8

    IMAGE_NAME: dinput8.dll

    DEBUG_FLR_IMAGE_TIMESTAMP: 536c18e7

    STACK_COMMAND: .ecxr ; kb

    BUCKET_ID: INVALID_POINTER_WRITE_dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+d

    PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE_dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+d

    FAILURE_EXCEPTION_CODE: c0000005

    FAILURE_IMAGE_NAME: dinput8.dll

    BUCKET_ID_IMAGE_STR: dinput8.dll

    FAILURE_MODULE_NAME: dinput8

    BUCKET_ID_MODULE_STR: dinput8

    FAILURE_FUNCTION_NAME: _tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll

    BUCKET_ID_FUNCTION_STR: _tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll

    BUCKET_ID_OFFSET: d

    BUCKET_ID_MODTIMEDATESTAMP: 536c18e7

    BUCKET_ID_MODCHECKSUM: 34a3c

    BUCKET_ID_MODVER_STR: 6.2.16299.15

    BUCKET_ID_PREFIX_STR: INVALID_POINTER_WRITE_

    FAILURE_PROBLEM_CLASS: INVALID_POINTER_WRITE

    FAILURE_SYMBOL_NAME: dinput8.dll!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll

    FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_dinput8.dll!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll

    WATSON_STAGEONE_URL: watson.microsoft.com/.../ 91f43e7/dinput8.dll/6.2.16299.15/536c18e7/c0000005/0000ca5d.htm?Retriage=1

    TARGET_TIME: 2018-02-13T19:11:06.000Z

    OSBUILD: 16299

    OSSERVICEPACK: 15

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE: x86

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt SingleUserTS

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2031-10-26 21:56:14

    BUILDDATESTAMP_STR: 160101.0800

    BUILDLAB_STR: WinBuild

    BUILDOSVER_STR: 10.0.16299.15

    ANALYSIS_SESSION_ELAPSED_TIME: afcf

    ANALYSIS_SOURCE: UM

    FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_dinput8.dll!_tailmerge_ext_ms_win_mininput_inputhost_l1_1_1_dll

    FAILURE_ID_HASH: {502bd972-e56d-fddf-7192-e45057a66168}

  • In reply to Kyle Kielty:

    Setup:

    OS and IE:

    • OS: 10.0.16299 Build 16299 Version 1709 - 64-bit - Home
    • IE: 11.192.16299.0
    • IE Plugin: Shockwave Flash Object 28.0.0.161
    • Set get.adobe.com/.../ as home page for IE.

    Sophos Software:

    • Core Agent 2.0.0
    • Endpoint Advanced 10.8.1.1
    • Sophos Intercept X 2.0.1

    Test:

    • With IE Shockwave plugin disabled. Launched and closed IE 10 times no crashes.
    • Enabled Shockwave plugin and IE crashed on the third start-up.

    The dump info:

    0:005> .ecxr
    eax=00000000 ebx=00001000 ecx=00000001 edx=00000010 esi=618a4000 edi=618a4000
    eip=6187c677 esp=0802f3c8 ebp=0802f418 iopl=0 nv up ei pl zr na pe nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
    dinput8!DloadMakePermanentImageCommit+0x62:
    6187c677 f00906 lock or dword ptr [esi],eax ds:002b:618a4000={dinput8!_imp_load__CreateGenericInputHost (6187c281)}

    FAILURE_EXCEPTION_CODE: c0000005
    FAILURE_IMAGE_NAME: dinput8.dll
    BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
    STACK_TEXT:
    0802f418 6187c761 618a1210 618a1214 00000000 dinput8!DloadMakePermanentImageCommit+0x62
    0802f434 6187c60c 6187c3c0 6187c80b 618a1210 dinput8!DloadProtectSection+0x52
    0802f43c 6187c80b 618a1210 6187c3c0 00000000 dinput8!DloadAcquireSectionWriteAccess+0x36
    0802f488 6187c27d 61895dcc 618a4008 05000000 dinput8!__delayLoadHelper2+0x1a
    0802f4bc 77c4cc4b 618a1210 00000000 00000000 dinput8!_tailMerge_ext_ms_win_mininput_inputhost_l1_1_1_dll+0xd
    0802f4e8 74752f17 618a1210 6187c3c0 00000000 ntdll!RtlRunOnceExecuteOnce+0x7b
    0802f500 6187c3e4 618a1210 6187c3c0 00000000 KERNELBASE!InitOnceExecuteOnce+0x17
    0802f514 77c33470 00000000 0b055486 00000000 dinput8!DllProcessDetach+0x106
    0802f59c 77c34059 0802f69c 1040ea58 0b055692 ntdll!RtlpTpWorkCallback+0x120
    0802f788 77b48654 04ae07b0 77b48630 3303ec60 ntdll!TppWorkerThread+0x7d9
    0802f79c 77c64a77 04ae07b0 0b0556fe 00000000 kernel32!BaseThreadInitThunk+0x24
    0802f7e4 77c64a47 ffffffff 77c89efd 00000000 ntdll!__RtlUserThreadStart+0x2f
    0802f7f4 00000000 77c33880 04ae07b0 00000000 ntdll!_RtlUserThreadStart+0x1b

    ExceptionAddress: 6187ca5d (dinput8!DirectInput8Create+0x0000176d)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000001
    Parameter[1]: 618a4008
    Attempt to write to address 618a4008

    0:005> !address 6187ca5d


    Mapping file section regions...
    Mapping module regions...
    Mapping PEB regions...
    Mapping TEB and stack regions...
    Mapping heap regions...
    Mapping page heap regions...
    Mapping other regions...
    Mapping stack trace database regions...
    Mapping activation context regions...

    Usage: Image
    Base Address: 61871000
    End Address: 61896000
    Region Size: 00025000 ( 148.000 kB)
    State: 00001000 MEM_COMMIT
    Protect: 00000020 PAGE_EXECUTE_READ
    Type: 01000000 MEM_IMAGE
    Allocation Base: 61870000
    Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
    Image Path: C:\Windows\System32\dinput8.dll
    Module Name: dinput8
    Loaded Image Name: dinput8.dll
    Mapped Image Name:
    More info: lmv m dinput8
    More info: !lmi dinput8
    More info: ln 0x6187ca5d
    More info: !dh 0x61870000


    Content source: 1 (target), length: 195a3

    0:005> lmvm dinput8
    start end module name
    61870000 618a8000 dinput8 (pdb symbols) c:\symbols\dinput8.pdb\E0FEBBB2E20390F6896FF1C15293C61C1\dinput8.pdb
    Loaded symbol image file: dinput8.dll
    Image path: C:\Windows\System32\dinput8.dll
    Image name: dinput8.dll
    Image was built with /Brepro flag.
    Timestamp: 536C18E7 (This is a reproducible build file hash, not a timestamp)
    CheckSum: 00034A3C
    ImageSize: 00038000
    File version: 6.2.16299.15
    Product version: 10.0.16299.15
    File flags: 0 (Mask 3F)
    File OS: 40004 NT Win32
    File type: 2.0 Dll
    File date: 00000000.00000000
    Translations: 0409.04b0
    Information from resource tables:
    CompanyName: Microsoft Corporation
    ProductName: Microsoft® Windows® Operating System
    InternalName: DInput8.dll
    OriginalFilename: DInput8.dll
    ProductVersion: 10.0.16299.15
    FileVersion: 10.0.16299.15 (WinBuild.160101.0800)
    FileDescription: Microsoft DirectInput
    LegalCopyright: © Microsoft Corporation. All rights reserved.

    lmvmFlash
    start end module name
    11130000 12770000 Flash (export symbols) Flash.ocx
    Loaded symbol image file: Flash.ocx
    Image path: C:\Windows\System32\Macromed\Flash\Flash.ocx
    Image name: Flash.ocx
    Timestamp: Thu Feb 1 15:38:04 2018 (5A73A4DC)
    CheckSum: 01551D49
    ImageSize: 01640000
    File version: 28.0.0.161
    Product version: 28.0.0.161
    File flags: 0 (Mask 3F)
    File OS: 4 Unknown Win32
    File type: 2.0 Dll
    File date: 00000000.00000000
    Translations: 0409.04b0
    Information from resource tables:
    CompanyName: Adobe Systems, Inc.
    ProductName: Shockwave Flash
    InternalName: Adobe Flash Player 28.0
    OriginalFilename: Flash.ocx
    ProductVersion: 28,0,0,161
    FileVersion: 28,0,0,161
    FileDescription: Adobe Flash Player 28.0 r0
    LegalCopyright: Adobe® Flash® Player. Copyright © 1996-2018 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
    LegalTrademarks: Adobe Flash Player

     

  • In reply to jak:

    I'll try and add a number of "changes" that help.  Maybe others can confirm:

    1. Setting tab growth of IE, such that iexplore.exe is set o use a single process. 

    Here is a reg key for all users on the computer.  You could do this on a per user basis using HKCU instead...

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    "TabProcGrowthDefault"="Medium"
    "TabProcGrowth"=dword:00000000

     Note: TabProcGrowth can be a string or a DWORD.  I initially had it as a String and set to Medium.  As a test I have made it a DWORD and set it to 0.   See: https://blogs.msdn.microsoft.com/askie/2009/03/09/opening-a-new-tab-may-launch-a-new-process-with-internet-explorer-8-0/ for more info.

    2. If I:
    Stop the "HitmanPro.Alert service".
    In the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\
    Set all the mitigations to 0 apart from ASLR, which is set to 1. 
    Start the "HitmanPro.Alert service".
    Then I can, with a script launch IE 50 times without issue with the homepage set to http://get.adobe.com/flashplayer/about/ 

    This suggests to me, the issue is with one or more of the mitigations, either in isolation or in combination.

    I will run through the tests toggling individual mitigations on.  If at the end I can set all of the values to 1 individually that will suggest it's more tricky than any one mitigation causing this.  Maybe a race condition?

  • I appreciate all the diving into this problem by jak and Kyle on this thread.

    Just adding a "Me too!" - we have had a growing number of internal tickets about this. Tonight I disabled Hitman Alert Pro on 3300+ machines all running Win10 Fall Creators Edition 1709 / 16299. It seems to only be these machines for us as well.

  • In reply to Chris Turner:

    I don't think you need to go as far as disabling HMPA entirely as it's only related to the mitigation work that the hmpalert dll is doing within the iexplore.exe process.

    I suspect that any one of the following will help:

    - disabling the "Protect web browsers" option under the Endpoint Threat Protection policy.

    - adding an exclusion for Internet Explorer under:
      https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions

    - changing IE TabProcGrowth setting

    The first means you loose some HMPA mitigation protection for all browsers.
    The second means you loose all HMPA mitigation protection for IE but other browsers are full protected.
    The third option means work to role out and a bit of an unknown in behaviour.

    Maybe someone could confirm any of the above work?

    I'm still toggling the individual mitigations under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\ one at a time to see if the issue is with one of the mitigations in particular.  I'm launching IE 50 times with the default home page set to http://get.adobe.com/flashplayer/about/ .  If it launches 50 times without a crash I'm deeming the mitigation in isolation at least to not be related.  My fear is you might need multiple.  I will update this thread when I have finished.

    Regards,
    Jak

  • In reply to jak:

    From my testing, it appears the only mitigation that has caused it in 50 launches of IE 11 with the Shockwave Flash Object plugin is:

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\
    IAF

    I found in the Sophos document on exploits, this to be:

    Import Address Table Access Filtering (IAF)

    An attacker eventually needs the addresses of specific system functions (e.g. kernel32!VirtualProtect) to be able to perform malicious activities. These addresses can be retrieved from different sources, one of which is the import address table (IAT) of a loaded module. The IAT is used as a lookup table when an application calls a function in a different module. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots so that they point to the memory locations of the corresponding library functions.

    I did find that with more mitigations enabled it crashed more often but this is the only one in isolation where a crash was observed.

    Hopefully this is useful information. 

    Regards,
    Jak

  • Although what I did was a temporary fix changing the end-users homepage away from MSN.com fixed his IE from crashing without touching any settings.  

  • We have the same issue.  We have also had 2 users this week whose internet stopped working in any browser, and a reboot did not fix.  I'm hoping Sophos takes this seriously and resolves it.

  • In reply to jak:

    Just posting a "me too."  Having this issue on 2 of 50 Windows 10 machines.  All 1709, all running Intercept X.

    Setting HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\IAF to 0 seems to resolve the problem.  Unfortunately testing has shown it gets reset to 1 after a reboot.

     

    Are Sophos aware of this and working on a proper fix?

    Thanks,

    Adam

  • We are experiencing the same problem as described - it appears the problems started after the large feature update to windows 10.

    At the moment we are running with 2 components unticked in our Sophos Central base policy: 'Protect web browsers' and 'Protect web browser plugins' as part of the Mitigate exploits in vulnerable applications. Although not ideal this has stopped the crashes in IE.

     

    I have a support ticket open with Sophos and have provided SDU logs - hopefully they will sort the issue soon.