This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an issue with Sophos Intercept X and Internet Explorer 11?

We have seen Internet Explorer crash on every machine we install Sophos Interecpt X on. All of the Computers are Windows 10 (ver 1709).

 

We have had to change main browsers because of the constant crashing. On first opening it crashes on my own machine everytime. I have checked the LoadAppInit_DLLS in the registry and both are 0 (following on from another thread I read here).

 

Any idea what to try?  I have gathered some dumps of the crashes but don't have the experience to look at them.

 

Thank you

N@




[locked by: SupportFlo at 10:57 PM (GMT -8) on 8 Mar 2019]
Parents
  • We have been experiencing this issue since November of 2017 and finally pinned it down to Sophos as well.  I had to disable Web Browser Projection on 900 PCs because this has rendered them useless.  Hopefully Sophos can get this resolved.

    I hope they get the Internet Explorer Lockdown issue fixed as well.

  • Hello Brian,

     

    Did you get a permanent fix from Sophos in this regards? We Just started rolling out Win 10-1709 and we bumped into this issue on test boxes. 

    So just checking?

  • It's been weeks since I've heard anything from Sophos support on any of my open issues.  I've never had such a poor experience with an enterprise level company.  So disappointing.  We're getting by with features disabled on many PCs.

  • Sophos have confirmed that there is an issue and they are currently working on the problem.  The issue appears to indicate an issue with how Sophos interacts with dinput8.dll.  We are excluding browsers from exploit mitigation and IE11 is now stable under these conditions.

  • Well Thanks for your response. Expect Sophos to look into this.

  • Just adding a 'Me Too' to this issue. Started as soon as machines updated to Windows 10 1709. Going to try removing browsers from exploit mitigation an see if that helps while we are waiting for a Sophos fix

  • Finished a remote session with Sophos Support last night.  I referenced this thread in my Support ticket to Sophos.  While not the exact issue originally reported, they did identify similar behavior.  Support emailed me a good follow up:

     

    we found that the reason these detections are being generated is due to the interaction between the hmpa scanning internet explorer and the "dinput8.dll" Active-X control driver being loaded into the web browser. Reviewing the documentation from development, this issue is due to both of the drivers trying to modify the same bit of memory. This causes what is known as a "Race Condition" with the two drivers causing the webpage to stop loading data appropriately. Intercept X will protect the memory spaces after the initial alteration made by loading the drivers, however with the interactions that we have seen, the loaded DLL will spawn another process that comes back and needs to make a change to the now protected memory location resulting in the crash.

    At this time, the suggested workaround if you have functions that need to be performed through IE is to disable the scanning of Web Browsers. This will effectively stop Intercept X from protecting the memory spaces in use by Internet Explorer so that this app crash no longer occurs. It is possible to do so by navigating into the Threat Protection policy that is assigned to the affected machine(s) in order to de-select the check box "Protect Web Browsers" located under "Runtime Protection"

    Our development teams have a fix slated to be released in Q2 of 2018. At this time the fix is in the testing phase. I will be passing the logs collected during our session, over to our development teams for further investigation should this be needed. Moving forward if you would like an updated ETA on the release of this fix, please feel free to call or e-mail in and reference the following code [WINEP-12407] and our techs will be able to provide you with some additional information if it has been released. I will be setting this case to an awaiting product status and will update you as additional information is released by our development teams.

  • That is awesome news (I think).  It stinks that we have to disable protection of browsers but I guess the first step is admitting that there is a problem:)  I look forward to getting this issue finally behind us.

Reply Children
No Data