Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 60 replies
  • Subscribers 1 subscriber
  • Views 102204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9's Buffer Overflow Protection System (BOPS) and Internet Explorer 8

JonKloske

Hi,

Just wondering if anyone else has noticed any odd behavior of Internet Explorer since upgrading from Sophos 7 to Sophos 9?

We've found that on a substantial portion of our machines (Windows XP, Windows Server 2003, and possibly even Windows 7) suffer from a reproducible but statistical-in-nature deadlock in Internet Explorer.

I originally reported the problem on Microsoft's Technet forums (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/ef0a7af9-26b9-45b5-a05e-0cfd88c42aee) however it soon became clear that the culprit was Sophos_detoured.dll, part of the BOPS in Sophos 9 (and the timeline of the problem occurred very shortly after upgrading substantial portions of our machines to Sophos 9 from the original Sophos 7 clients they had installed.)

I notice someone else on the MS forums said they had the same problem, so I thought I'd post this here to achieve two things:

1. If other people experience this problem, they may know what's causing it instead of tearing their hair out about it

and

2. Perhaps other people have suggestions or advice

I should point out that we have an open ticket with Sophos about this at the moment [#2345512], and I've discovered at least two workarounds (which are both effectively the same workaround from different directions), so I'm not necessarily after assistance, just healthy discussion and information sharing.

As an aside, after I posted about this issue in a similar way on our internal forums, another IT staff member from a completely unrelated area responded along the lines of "Ahhh! That's what's causing it! We've just been reformatting and re-installing windows since we were stumped by the problems, and we never connected it with the recent upgrade to 9!"

And finally, the easiest workaround to the problem is to disable BOPS and reboot. There's a reghack that achieves effectively the same thing involving the AppInit_DLLs key (see the referenced microsoft forum post for details if you're brave.)

Cheers,

Jon.

:3208


This thread was automatically locked due to age.
Parents
  • 0

    Good afternoon everyone.

    In order to look into this issue further (I can appreciate some posters have active case references for this issue) , can you ensure that cases are opened - ideally via www.sophos.com/support/query as this will automatically create a case reference for you, with Sophos diagnose logs (http://www.sophos.com/support/knowledgebase/article/33533.html), msinfo32 output (please save as .nfo file) and answers to the following questions.

    Brief rundown:

    Sophos Detoured is used by Sophos Anti-Virus for Buffer Overflow Protection (BOPS) and Host Intrusion Prevention System (HIPS).

    HIPS and BOPS information: http://www.sophos.com/support/knowledgebase/article/25044.html

    Registry information: http://www.sophos.com/support/knowledgebase/article/36501.html

    NOTE: On 64-bit platforms the Sophos_detoured.dll file is it also found under HKLM\Software\Wow6432Node\Microsoft\Windows NT\Current Version\Windows\AppInit_Dlls


    In order to investigate please provide inline answers to these questions, when logging a case.

    1. Were there any actual Buffer Overflow Detections?
    2. What was the first version of Sophos Anti-Virus this issue was discovered with?
    3. What change to the installation of Sophos Anti-Virus is necessary to resolve the conflict?
      1. Disabling the BOPs option in the Sophos Anti-Virus configuration (then reboot)?
      2. Disabling the HIPs option in the Sophos Anti-Virus configuration (then reboot)?
      3. Disabling both the BOPS and HIPs option in the Sophos Anti-Virus configuration (then reboot)?
      4. Removing the Detoured entry from the registry (then reboot)?
        • If system is 64-bit, are both registry entries required to be removed or just one?
    4. Are there any other values present in AppInit_DLLs?
      1. Does changing the ordering of the values change the outcome of the issue (i.e. Sophos_detoured first/ last in order)?
    5. Is the problem platform dependant? (Example: 32-bit only, Vista only etc…)
    6. Are there a succinct set of steps to cause/ recreate the conflict (please list)?
      1. What is the reproduction rate (i.e. 100% everytime, or one in five attempts, etc.)?
    7. What is the normal/expected behaviour ?
      1. Does Detoured exacerbate a problem rather than cause it?
    8. Is the affected application on the latest version?
      1. Have you contacted the other vendor in case an issue is already known?
    9. If there is a server/client relationship relevant to the problem, which PC does Detoured need to be removed from?
      (Examples: Remote desktop connection, VPN connections, database connections, applications that require a server connection when ran from the client)

    The more information we receive from yourselves the quicker we can isolate and fix this frustrating issue.

    Will

    :3764
Reply
  • 0

    Good afternoon everyone.

    In order to look into this issue further (I can appreciate some posters have active case references for this issue) , can you ensure that cases are opened - ideally via www.sophos.com/support/query as this will automatically create a case reference for you, with Sophos diagnose logs (http://www.sophos.com/support/knowledgebase/article/33533.html), msinfo32 output (please save as .nfo file) and answers to the following questions.

    Brief rundown:

    Sophos Detoured is used by Sophos Anti-Virus for Buffer Overflow Protection (BOPS) and Host Intrusion Prevention System (HIPS).

    HIPS and BOPS information: http://www.sophos.com/support/knowledgebase/article/25044.html

    Registry information: http://www.sophos.com/support/knowledgebase/article/36501.html

    NOTE: On 64-bit platforms the Sophos_detoured.dll file is it also found under HKLM\Software\Wow6432Node\Microsoft\Windows NT\Current Version\Windows\AppInit_Dlls


    In order to investigate please provide inline answers to these questions, when logging a case.

    1. Were there any actual Buffer Overflow Detections?
    2. What was the first version of Sophos Anti-Virus this issue was discovered with?
    3. What change to the installation of Sophos Anti-Virus is necessary to resolve the conflict?
      1. Disabling the BOPs option in the Sophos Anti-Virus configuration (then reboot)?
      2. Disabling the HIPs option in the Sophos Anti-Virus configuration (then reboot)?
      3. Disabling both the BOPS and HIPs option in the Sophos Anti-Virus configuration (then reboot)?
      4. Removing the Detoured entry from the registry (then reboot)?
        • If system is 64-bit, are both registry entries required to be removed or just one?
    4. Are there any other values present in AppInit_DLLs?
      1. Does changing the ordering of the values change the outcome of the issue (i.e. Sophos_detoured first/ last in order)?
    5. Is the problem platform dependant? (Example: 32-bit only, Vista only etc…)
    6. Are there a succinct set of steps to cause/ recreate the conflict (please list)?
      1. What is the reproduction rate (i.e. 100% everytime, or one in five attempts, etc.)?
    7. What is the normal/expected behaviour ?
      1. Does Detoured exacerbate a problem rather than cause it?
    8. Is the affected application on the latest version?
      1. Have you contacted the other vendor in case an issue is already known?
    9. If there is a server/client relationship relevant to the problem, which PC does Detoured need to be removed from?
      (Examples: Remote desktop connection, VPN connections, database connections, applications that require a server connection when ran from the client)

    The more information we receive from yourselves the quicker we can isolate and fix this frustrating issue.

    Will

    :3764
Children
No Data