Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have been experiencing this issue since November of 2017 and finally pinned it down to Sophos as well.  I had to disable Web Browser Projection on 900 PCs because this has rendered them useless.  Hopefully Sophos can get this resolved.

I hope they get the Internet Explorer Lockdown issue fixed as well.

Hello Brian,

Did you get a permanent fix from Sophos in this regards? We Just started rolling out Win 10-1709 and we bumped into this issue on test boxes. 

So just checking?

It's been weeks since I've heard anything from Sophos support on any of my open issues.  I've never had such a poor experience with an enterprise level company.  So disappointing.  We're getting by with features disabled on many PCs.

Sophos have confirmed that there is an issue and they are currently working on the problem.  The issue appears to indicate an issue with how Sophos interacts with dinput8.dll.  We are excluding browsers from exploit mitigation and IE11 is now stable under these conditions.

Sophos have confirmed that there is an issue and they are currently working on the problem.  The issue appears to indicate an issue with how Sophos interacts with dinput8.dll.  We are excluding browsers from exploit mitigation and IE11 is now stable under these conditions.

Just adding a 'Me Too' to this issue. Started as soon as machines updated to Windows 10 1709. Going to try removing browsers from exploit mitigation an see if that helps while we are waiting for a Sophos fix

Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up:

we found that the reason these detections are being generated is due to the interaction between the hmpa scanning internet explorer and the "dinput8.dll" Active-X control driver being loaded into the web browser. Reviewing the documentation from development, this issue is due to both of the drivers trying to modify the same bit of memory. This causes what is known as a "Race Condition" with the two drivers causing the webpage to stop loading data appropriately. Intercept X will protect the memory spaces after the initial alteration made by loading the drivers, however with the interactions that we have seen, the loaded DLL will spawn another process that comes back and needs to make a change to the now protected memory location resulting in the crash.

At this time, the suggested workaround if you have functions that need to be performed through IE is to disable the scanning of Web Browsers. This will effectively stop Intercept X from protecting the memory spaces in use by Internet Explorer so that this app crash no longer occurs. It is possible to do so by navigating into the Threat Protection policy that is assigned to the affected machine(s) in order to de-select the check box "Protect Web Browsers" located under "Runtime Protection"

Our development teams have a fix slated to be released in Q2 of 2018. At this time the fix is in the testing phase. I will be passing the logs collected during our session, over to our development teams for further investigation should this be needed. Moving forward if you would like an updated ETA on the release of this fix, please feel free to call or e-mail in and reference the following code [WINEP-12407] and our techs will be able to provide you with some additional information if it has been released. I will be setting this case to an awaiting product status and will update you as additional information is released by our development teams.

That is awesome news (I think).  It stinks that we have to disable protection of browsers but I guess the first step is admitting that there is a problem:)  I look forward to getting this issue finally behind us.

DevinBrown said:

Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up: 

Awesome - thanks!

Adam

Thank you so much for posting this! it is the most informative response from Sophos we have seen so far.

:D

I also have this issue on some computers

Well noted and thank you sharing important information with us.

Hi Everyone,

The reported issue is brought to the attention of the concerned team and it is actively being investigated internally by our team (ID reference: WINEP-12407). I will keep this thread updated periodically with developments.  At the moment I believe jak has already provided the possible workarounds and the logs that would be required for the support to investigate it.

I reported this issue in December, 4 months ago.  Sad.

I have been told by the Support the Next Release of Q2 This would be fixed. Right now Windows 10  - 1709 are being rolled out with Browser Protection Disabled.

Gowtham Mani I Hope this would be solved with the Q2 Release.