Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3316 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error with Sophos 9.5.x and Outlook 2007 hanging

emiliob

We have ran into an issue where the sophos_detoured.dll included with Sophos 9.5.x is causing our machines with outlook 2007 Sp2 to hang (XP SP3).

After a few days of troubleshooting with microsoft, they pointed us in the direction of the sophos_detoured.dll.

Renaming the sophos_detoured.dll "fixes" the issue.

Here is what we have:

Any machine with the configuration mentioned above that has never turned on reading pane is fine.

If reading pane is enabled, it crashes until all add ins are disabled.

If reading pane is enabled and then disabled, it crashes until all add ins are disabled..

We can consistently recreate the issue on all of our machines.

Sophos cannot recreate the issue but has acknowledged a very small population of clients exhibiting the same error.

Anyone out there seen this and have a fix that does not involve renaming the dll and thus rendering BOPs useless?

This is the only KB with any mention of an issue on this file http://www.sophos.com/support/knowledgebase/article/112099.html

Sophos recommendation is to rename the path of this file in the registry so that the dll doesnt load until they have a permanent fix.

Adding outlook.exe to the Application Authorization on Buffer Overflow has no effect on the issue and neither does turning off BOPs through policy.

:7351


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I have a couple of questions and some advice.

    As detoured is used for a few functions within the software as listed here:

    http://www.sophos.com/support/knowledgebase/article/112099.html

    Are you using Data Control on these machines?  If so, if you disable it, does the problem go away?

    As a more permanent workaround to disabling detoured I was given the key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\SetupOptions]

    "DetourDLLState"="excluded"

    Note: Adjust path for 32bit.

    Then remove the reference from:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    to the Sophos dll, leaving other entries as they are if present.

      

    You would then need to reboot to unload detoured from existing processes. 

    The above registry key will prevent detoured being rewritten on updates as just removing it from the AppInit_DLLs will not prevent it being re-created. 

    Therefore I would suggest:

    1. Disable Data Control as a test if is enabled.

    2. Rollout the above key changes to the affected machines as a short term workaround

    3. Leave one test machine unchanged and exhibiting the problem that Support can assist with if possible.

    The information I would supply to Support would be:

    1. An SDU log (http://www.sophos.com/support/knowledgebase/article/33533.html)

    2. A process dump of Outlook.exe when hung. 

    Getting the application to hang and then create a memory dump of the process using something like:
    http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

     

    E.g. procdump.exe -ma outlook.exe

    A process dump might be enough, if not a full memory dump would be good to have waiting in the wings so to speak.

    To do so as you can crash a machine using the keyboard following this article:

    http://msdn.microsoft.com/en-us/library/ff545499.aspx

    And ensure the machine has Full dump selected in the computer properties - advanced system settings - startup and recovery options.  Again trigger the machine to crash when the application is hung.  Also you might want to take some memory out of the machine to reduce the size of the crash file when doing this.

    That should be enough information to diagnose the problem.  Possibly 2 crashes of each just to compare might be worth doing.

      

    Regards,

    Jak

    :7363
Reply
  • 0

    Hi,

    I have a couple of questions and some advice.

    As detoured is used for a few functions within the software as listed here:

    http://www.sophos.com/support/knowledgebase/article/112099.html

    Are you using Data Control on these machines?  If so, if you disable it, does the problem go away?

    As a more permanent workaround to disabling detoured I was given the key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\SetupOptions]

    "DetourDLLState"="excluded"

    Note: Adjust path for 32bit.

    Then remove the reference from:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    to the Sophos dll, leaving other entries as they are if present.

      

    You would then need to reboot to unload detoured from existing processes. 

    The above registry key will prevent detoured being rewritten on updates as just removing it from the AppInit_DLLs will not prevent it being re-created. 

    Therefore I would suggest:

    1. Disable Data Control as a test if is enabled.

    2. Rollout the above key changes to the affected machines as a short term workaround

    3. Leave one test machine unchanged and exhibiting the problem that Support can assist with if possible.

    The information I would supply to Support would be:

    1. An SDU log (http://www.sophos.com/support/knowledgebase/article/33533.html)

    2. A process dump of Outlook.exe when hung. 

    Getting the application to hang and then create a memory dump of the process using something like:
    http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

     

    E.g. procdump.exe -ma outlook.exe

    A process dump might be enough, if not a full memory dump would be good to have waiting in the wings so to speak.

    To do so as you can crash a machine using the keyboard following this article:

    http://msdn.microsoft.com/en-us/library/ff545499.aspx

    And ensure the machine has Full dump selected in the computer properties - advanced system settings - startup and recovery options.  Again trigger the machine to crash when the application is hung.  Also you might want to take some memory out of the machine to reduce the size of the crash file when doing this.

    That should be enough information to diagnose the problem.  Possibly 2 crashes of each just to compare might be worth doing.

      

    Regards,

    Jak

    :7363
Children
No Data