Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 60 replies
  • Subscribers 1 subscriber
  • Views 102220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9's Buffer Overflow Protection System (BOPS) and Internet Explorer 8

JonKloske

Hi,

Just wondering if anyone else has noticed any odd behavior of Internet Explorer since upgrading from Sophos 7 to Sophos 9?

We've found that on a substantial portion of our machines (Windows XP, Windows Server 2003, and possibly even Windows 7) suffer from a reproducible but statistical-in-nature deadlock in Internet Explorer.

I originally reported the problem on Microsoft's Technet forums (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/ef0a7af9-26b9-45b5-a05e-0cfd88c42aee) however it soon became clear that the culprit was Sophos_detoured.dll, part of the BOPS in Sophos 9 (and the timeline of the problem occurred very shortly after upgrading substantial portions of our machines to Sophos 9 from the original Sophos 7 clients they had installed.)

I notice someone else on the MS forums said they had the same problem, so I thought I'd post this here to achieve two things:

1. If other people experience this problem, they may know what's causing it instead of tearing their hair out about it

and

2. Perhaps other people have suggestions or advice

I should point out that we have an open ticket with Sophos about this at the moment [#2345512], and I've discovered at least two workarounds (which are both effectively the same workaround from different directions), so I'm not necessarily after assistance, just healthy discussion and information sharing.

As an aside, after I posted about this issue in a similar way on our internal forums, another IT staff member from a completely unrelated area responded along the lines of "Ahhh! That's what's causing it! We've just been reformatting and re-installing windows since we were stumped by the problems, and we never connected it with the recent upgrade to 9!"

And finally, the easiest workaround to the problem is to disable BOPS and reboot. There's a reghack that achieves effectively the same thing involving the AppInit_DLLs key (see the referenced microsoft forum post for details if you're brave.)

Cheers,

Jon.

:3208


This thread was automatically locked due to age.
  • 0

    I am still dealing with this issue as well.  I have opened Support Case 2381079 w/Sophos and am supplying them with information as requested.    However, things are slow going as the problem only intermittantly occurs for me.

    :4129
  • 0

    I'm still testing this, but so far today, after I disabled Java (the IE add-on), It hasn't froze up on me.  Give this a try and see if it works for you.  I'll try and report back later how it goes for me.

    The add-ons I disabled were Java(tm) Plug-In 2 SSV Helper -and- JQSIEStartDetectorImpl Class

    :4204
  • 0

    Hi Ross,

    We've tried disabling ~all~ add-ons, and this includes Java.

    Regards,

    Jon.

    :4212
  • 0

    It still is freezing up, although it doesn't seem to happen as often... atleast for me.

    :4246
  • 0

    I now have reports of some users running Windows XP and IE7 that are experiencing this issue, so maybe it is not limited to just IE8 ?

    :4472
  • 0

    Wanted to bump this thread as we're running into the same issue in our organzation. It affects one of our web based business applications when trying to print. Removing the detoured dll fixes the issue, and as usual, Sophos can't reproduce their issue in their labs. I called up support and in 9.5, apparently you can exclude the detour.dll from loading. I haven't tried it yet but I figured I would post it:

    •  Click Start, click Run, type regedit, and then click OK.
    •  Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions
    •  On the Edit menu, point to New, and then click String Value.
    •  In the details pane, type DetourDLLState for the new value, and then press ENTER.
    •  Right-click DetourDLLState and then click Modify.
    •  In the Value data box, type excluded and then click OK.
    •  Exit Registry Editor.
    •  A reboot of the computer is required in order to unload the Sophos_Detoured.dll from the running processes

    :5101
  • 0

    Hi APNick,

    I'm still in discussions with Sophos' Engineers but our progress to date has been glacial.

    Regards,

    Jon.

    :5196
  • 0

    I upgraded to SAV 9.5, and still saw the IE hangs -- just not as often.

    I called Sophos Tech Support back and they suggested that I remove the Sophos entry in the AppInit_DLLs registry key.  They said that they should have a real fix ready early next year.

    It took APNick's information about the DetourDLLState key to make this fix more permanent. Otherwise the AppInit_DLLs entry would reappear every once in a while. (How often does Sophos release updates that re-create that key? Once a month?)

    :5474
  • 0

    Just for fun, here is a link to a blog post I found discussing the usefulness of AppInit_DLLs :)

    AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs - http://blogs.msdn.com/b/oldnewthing/archive/2007/12/13/6648400.aspx

    :5475
  • 0

    Hi All,

    I've tested a beta version of the new sophos_detoured.dll file and it seems to resolve the issue, at least on my machine, and at least as far as I can tell at the moment.

    Regards,

    Jon.

    :5484