Is there an issue with Sophos Intercept X and Internet Explorer 11?

I appreciate all the diving into this problem by jak and Kyle on this thread.

Just adding a "Me too!" - we have had a growing number of internal tickets about this. Tonight I disabled Hitman Alert Pro on 3300+ machines all running Win10 Fall Creators Edition 1709 / 16299. It seems to only be these machines for us as well.

I appreciate all the diving into this problem by jak and Kyle on this thread.

Just adding a "Me too!" - we have had a growing number of internal tickets about this. Tonight I disabled Hitman Alert Pro on 3300+ machines all running Win10 Fall Creators Edition 1709 / 16299. It seems to only be these machines for us as well.

I don't think you need to go as far as disabling HMPA entirely as it's only related to the mitigation work that the hmpalert dll is doing within the iexplore.exe process.

I suspect that any one of the following will help:

- disabling the "Protect web browsers" option under the Endpoint Threat Protection policy.

- adding an exclusion for Internet Explorer under:
  https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions

- changing IE TabProcGrowth setting

The first means you loose some HMPA mitigation protection for all browsers.
The second means you loose all HMPA mitigation protection for IE but other browsers are full protected.
The third option means work to role out and a bit of an unknown in behaviour.

Maybe someone could confirm any of the above work?

I'm still toggling the individual mitigations under: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\ one at a time to see if the issue is with one of the mitigations in particular.  I'm launching IE 50 times with the default home page set to http://get.adobe.com/flashplayer/about/ .  If it launches 50 times without a crash I'm deeming the mitigation in isolation at least to not be related.  My fear is you might need multiple.  I will update this thread when I have finished.

Regards,
Jak

From my testing, it appears the only mitigation that has caused it in 50 launches of IE 11 with the Shockwave Flash Object plugin is:

HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\
IAF

I found in the Sophos document on exploits, this to be:

Import Address Table Access Filtering (IAF)

An attacker eventually needs the addresses of specific system functions (e.g. kernel32!VirtualProtect) to be able to perform malicious activities. These addresses can be retrieved from different sources, one of which is the import address table (IAT) of a loaded module. The IAT is used as a lookup table when an application calls a function in a different module. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots so that they point to the memory locations of the corresponding library functions.

I did find that with more mitigations enabled it crashed more often but this is the only one in isolation where a crash was observed.

Hopefully this is useful information. 

Regards,
Jak

Just posting a "me too."  Having this issue on 2 of 50 Windows 10 machines.  All 1709, all running Intercept X.

Setting HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_\Browsers\IAF to 0 seems to resolve the problem.  Unfortunately testing has shown it gets reset to 1 after a reboot.

Are Sophos aware of this and working on a proper fix?

Thanks,

Adam