Installed the new version of Microsofts EMET yesterday - http://www.microsoft.com/en-us/download/details.aspx?id=43714
When I tried to start outlook, EMET 5.0 gets an error that indicates the 'caller' protection is preventing it from starting and will be aborted. When I look at the application log events, it shows as being assocaited with our AV product Sophos from what I can tell.
I disabled the 'caller' protection for outlook and the application started.
Log Name: Application
Source: Application Error
Date: 8/6/2014 11:14:08 AM
Event ID: 1005
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Windows cannot access the file C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Microsoft Outlook because of this error.
Program: Microsoft Outlook
File: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.
Additional Data
Error value: 2205000C
Disk type: 3
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="49152">1005</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-08-06T16:14:08.000000000Z" />
<EventRecordID>39681</EventRecordID>
<Channel>Application</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data>C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL</Data>
<Data>Microsoft Outlook</Data>
<Data>2205000C</Data>
<Data>3</Data>
</EventData>
The condition above was reported to Microsoft on 8/6, as of this time, there has been no reply. However, an identical condition was experienced when I attempted to click on an unsubscribe link in an e-mail. EMET dialog popped up and said the caller protection for firefox was preventing that task it and it would be halted. And again when I tried to open an .html file that was in an email attachment. The event log identified the same sophos.dll above (I can't fully qualify the name because it is being truncated).
We would like to deploy this to select users if they have been made a victim of malware more than once. However, disabling the caller protection for EMET for these commonly used apps, will likely significantly reduce the effectiveness of these protections. Are yall able to offer anything?
This thread was automatically locked due to age.
