Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 60 replies
  • Subscribers 1 subscriber
  • Views 102221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9's Buffer Overflow Protection System (BOPS) and Internet Explorer 8

JonKloske

Hi,

Just wondering if anyone else has noticed any odd behavior of Internet Explorer since upgrading from Sophos 7 to Sophos 9?

We've found that on a substantial portion of our machines (Windows XP, Windows Server 2003, and possibly even Windows 7) suffer from a reproducible but statistical-in-nature deadlock in Internet Explorer.

I originally reported the problem on Microsoft's Technet forums (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/ef0a7af9-26b9-45b5-a05e-0cfd88c42aee) however it soon became clear that the culprit was Sophos_detoured.dll, part of the BOPS in Sophos 9 (and the timeline of the problem occurred very shortly after upgrading substantial portions of our machines to Sophos 9 from the original Sophos 7 clients they had installed.)

I notice someone else on the MS forums said they had the same problem, so I thought I'd post this here to achieve two things:

1. If other people experience this problem, they may know what's causing it instead of tearing their hair out about it

and

2. Perhaps other people have suggestions or advice

I should point out that we have an open ticket with Sophos about this at the moment [#2345512], and I've discovered at least two workarounds (which are both effectively the same workaround from different directions), so I'm not necessarily after assistance, just healthy discussion and information sharing.

As an aside, after I posted about this issue in a similar way on our internal forums, another IT staff member from a completely unrelated area responded along the lines of "Ahhh! That's what's causing it! We've just been reformatting and re-installing windows since we were stumped by the problems, and we never connected it with the recent upgrade to 9!"

And finally, the easiest workaround to the problem is to disable BOPS and reboot. There's a reghack that achieves effectively the same thing involving the AppInit_DLLs key (see the referenced microsoft forum post for details if you're brave.)

Cheers,

Jon.

:3208


This thread was automatically locked due to age.
  • 0

    Hi Jon, that's great to hear! Anyway we could get our hands on that DLL? Do you have a reference #?

    Also has anyone noticed an increase in web related malware since turning off the detour DLL?

    :5707
  • 0

    Hi APNick,

    The job number was listed in the original post that started this thread. It was #2345512.

    Regards,

    Jon.

    :5718
  • 0

    I am experiening Internet explorer 8 freezing on a bunch of computers here, usually when the user first runs IE8, pretty much as discribed in the orginal post.

    Did sophos give any indication when the beta fix would be rolled into the main product? In the meantime I'll give the registry fixes above a shot and see how I get on.

    I'm not entirely sure it's the same issue but I want to rule it out before I investigate further. 

    :6153
  • 0

    Did sophos give any indication when the beta fix would be rolled into the main product?

    This is the anwser I got from support:

    There is a fix for this that should be installed along with the 9.5.4 release of the software. This should already have gone out.

    :6179
  • 0

    I just checked 3 systems, all running 9.5.4, all showing sophos_detoured.dll as version 9.5.0.9530, with 2 having modified dates of August (dates correspond with our upgrade from 9.0 to 9.5), so it doesn't appear to me that the 9.5.4 update updated this file.  Can anyone confirm the version of the file that seems to resolve this issue?

    :6187
  • 0

    Just checking in here.  I am still getting intermittent IE8 hangs on my Win7 desktop even with removal of the AppInitDLL registry key entry and disabling the "Sophos Web Content Scanner" Addon.     I continue to troubleshoot.

    :6217
  • 0

    Hi JasonC,

    The debug build of my file is 99.99.99.9999, which is spectacularly unhelpful. I'd md5 sum it for you to compare it with, but unless they're releasing it with that version number it's not going to help.

    As an aside, I notice our console has 9.54 set as the latest for the "9.5 recommended" stream, but it doesn't look like our clients are at that level yet (they only report 9.5 in the about page.) The update manager reads "Downloading binaries" so perhaps this update was only just made available to our customerid?

    Regards,

    Jon.

    :6219
  • 0

    Our organization is currently experiencing this problem now soon after upgrading from 3.0 to 4.5 SEC.  I would like to know if a fix is planned for the near future.  This rollout will effectively cripple 400 machines.  What option do we have besides rollback to 3.0? 

    :6959
  • 0

    Hi ReBoundIT:

    Could you please confirm if this has been raised with technical support ?
    If yes, can you please reply to this post with your case reference.


    JonKloske:
    Please note the debug build of Sophos Detoured will not follow the version conventions of the Sophos release schedule.

    :7083
  • 0

    We had a similar problem.

    Even though Application Control was set to detect only, if IE8 was in the blocked, it would slow it down greatly and sometimes causing crashes of the application.

    Also, a small handfull of machines still had a problem with IE8 and SAV9.

    They would completely crash quite quickly and often making IE8 virtually un-usable.

    At first an uninstall of IE8 and re-install did not work.

    And as a side note, the problem seemed worse with pages using Java.

    But more recently an uninstall of IE8, reboot, then full windows updates (incl. IE8), has fixed the issue completely.

    Hope this helps someone!?!

    Let me know how you get on :smileyhappy:

    :8517