Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 60 replies
  • Subscribers 1 subscriber
  • Views 102208 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9's Buffer Overflow Protection System (BOPS) and Internet Explorer 8

JonKloske

Hi,

Just wondering if anyone else has noticed any odd behavior of Internet Explorer since upgrading from Sophos 7 to Sophos 9?

We've found that on a substantial portion of our machines (Windows XP, Windows Server 2003, and possibly even Windows 7) suffer from a reproducible but statistical-in-nature deadlock in Internet Explorer.

I originally reported the problem on Microsoft's Technet forums (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/ef0a7af9-26b9-45b5-a05e-0cfd88c42aee) however it soon became clear that the culprit was Sophos_detoured.dll, part of the BOPS in Sophos 9 (and the timeline of the problem occurred very shortly after upgrading substantial portions of our machines to Sophos 9 from the original Sophos 7 clients they had installed.)

I notice someone else on the MS forums said they had the same problem, so I thought I'd post this here to achieve two things:

1. If other people experience this problem, they may know what's causing it instead of tearing their hair out about it

and

2. Perhaps other people have suggestions or advice

I should point out that we have an open ticket with Sophos about this at the moment [#2345512], and I've discovered at least two workarounds (which are both effectively the same workaround from different directions), so I'm not necessarily after assistance, just healthy discussion and information sharing.

As an aside, after I posted about this issue in a similar way on our internal forums, another IT staff member from a completely unrelated area responded along the lines of "Ahhh! That's what's causing it! We've just been reformatting and re-installing windows since we were stumped by the problems, and we never connected it with the recent upgrade to 9!"

And finally, the easiest workaround to the problem is to disable BOPS and reboot. There's a reghack that achieves effectively the same thing involving the AppInit_DLLs key (see the referenced microsoft forum post for details if you're brave.)

Cheers,

Jon.

:3208


This thread was automatically locked due to age.
  • 0

    Hi PhilB, this would be a different issue between SAV and Citrix, usually caused by the order of dll's loaded under the Appinit key, I have sent you an email within the case you have logged with Sophos Technical Support

    :3883
  • 0

    Hi Phil,

    Can't comment on the citrix issue, but the other one where IE hangs 2-3% of the time sounds exactly like the deadlock issue. Removing the entry from AppInit_DLLs will fix the issue, however the client will re-add that entry occasionally, so just be aware stuff doesn't stay "fixed" forever :(

    Regards,

    Jon.

    :3886
  • 0

    Thanks WB (got the email and replied) and thanks JonKloske too. I may remove the entry from the other two servers to see if it is in fact the cause, but I'm just concerned that the entry must be there for a reason and as any malware we experience invariably comes in through IE (and is caught by Sophos, which is good of course) I don't want to disable anything that's actually useful. Eek.

    Thanks,

    Phil.

    :3889
  • 0

    Hi Phil,

    It's not going to break anything, but it does mean that Buffer Overflow Protection is effectively disabled. Frankly, I've seen the HIPS stuff be useful in finding previously undetected viruses but I've never known the BOPS stuff to visibly do anything useful (particularly not if you've already turned on DEP across your network, which is a good idea, and in fact the BOPS article seems to state that BOPS is turned off on Vista and x64 windows versions because DEP already does everything it can do in those cases anyway.)

    Regards,

    Jon.

    :3890
  • 0

    Jon is spot on, essentially we need to check if the change to appinit fixes the issue in relation to Citrix, if not we will need to dig a bit further.

    Generally the solution isnt always a one size fixes all, and would recommend logging case with myself or my colleagues via support@sophos.com if you can include answers to my previous post (I know its a pain but it allows us to build a bigger picture of what you are seeing) and reduces the need to ask question after question.

    Certainly if people are experiencing issues with SAV 9.5 that were not present with SAV 7.6 or 9.0.x we need to know so we can fix them for you.

    :3891
  • 0
    Hi Sandy, I have had ticket open with Sophos for over a month about this but am so far finding the extraordinary number very difficult hoops I am being made to jump through extremely taxing. The ticket is still in the "more information needed" stage, which at this rate indicates the Mayan Long Count calendar may wrap before Sophos manages to wrap this up. Regards, Jon
    :3901
  • 0

    Hi Jon

    Can you please PM me the case reference of the open case, and I will discuss this with the case owner.

    Many thanks

    :3911
  • 0

    From what is posted in this thread here and the the MS thread, this all sounds very familiar and we dealt with it already last year using SAV7 and XP SP2 (x86), but in our case JAVA 1.5.x was involved. We had to remove Sophos_Detoured.dll from AppInit key as it was causing IE7 to crash randomly. Though Sophos_detoured.dll was NOT causing the problem it was somehow involved. I forgot the exact details, but i think it was the Jinitiator/JRE crapping out causing all the grief. This is what it seems at that time.

    Single-Core and MultiCore CPUs is a good hint as well as the order the AppInit entries are loaded. I've seen in your example that you have the Google Update Service appear first!

    Here's our case no and more information: #1368523

    Problem/Issue:

    Customers are reporting that when they try to initialize an object heap of 1GB+ in the Sun Java client an error now occurs as of 7.6.10, when Detoured is removed from AppInit_DLLs the problem stops.

    Sophos product and version:

    SAV for Windows 2000/XP/2003 7.6.10


    Operating system:

    Windows XP
    Windows 2003

    Technical Information:

    When Java VM tries to reserve a contiguous block of memory bigger than 1.2gb it cannot because Sophos_Detoured.dll is located in the middle of that address range, reducing the memory reservation size to 1.2gb or lower does resolve the problem. The fix involves rebasing (relocating) the DLL in memory so that it does not get in the way of an application trying to reserve 1.2gb+ in one contiguous block

    Actions/What to do:

    This issue is scheduled to be fixed in the Sophos Anti-Virus 7.6.11 release due for release in late August 2009

    There are two workarounds in place:

    a) Remove Detoured from the registry (Disables BOPS):


    1. Backup the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    2. Remove C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL from

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    3. Log off and back on


    (Restore the backup and log off and back on to restore detoured (BOPS))

    b) Initialize Java with a value under 1GB

    example

    java -mx512M -ms512M -XX:MaxPermSize=512MB -version

    :3914
  • 0

    Hi All,

    Just to report that last night I upgrade my client from 9.0 to 9.5, and I can't seem to reproduce the problem anymore on this version. I'll try and reproduce the lack of reproducibility on a different currently affected client by upgrading it from 9.0 to 9.5 and report back soon.

    Regards,

    Jon.

    :3928
  • 0

    Hi All,

    Just to report back in: less clients are affected with 9.5, but there are still a number of clients that are affected with a fully updated 9.5 client.

    So I guess back to the drawing board, and I'll continue my efforts with support@ (sigh).

    Regards,

    Jon.

    :4098