Checksum Error on Internet Explorer

Hello RalphMalph,

can't say what the particular problem with IE 11(?) on Windows 8 is, but generally checksumming vs. automatic updates can be a little bit tricky if Interactive Mode is not available (which isn't on Windows 8).

If the client is managed (I assume it is) it's easier to deal with this from the SEC and use the Firewall Events viewer to add the checksum to the policy.

Christian

Hi Christian,

Maybe I didn't explain myself clearly.  I *AM* updating the checksum manually in the Sophos firewall configuration.  I go to the checksums tab and click "add", navigate to the location of iexplore.exe and select it.  When I click "open" the checksum is added to the list.  But even if I restart the Internet Explorer application it is flagged as a wrong checksum when I try to access the Internet. 

But it gets worse.  The revision number in IE was not the same as reported by Sophos so I thought I would rename the app and see if I could get Sophos to recognize the correct revision number.  That part worked, but now I can't rename the app back to iexplore.exe.  I am stopped by the protections.  Silly protections let me rename the thing, but now stop me from renaming it back???  wth...  I made a copy of the file and named it iexplore.exe and this has the old revision number and of course Sophos won't allow it to access the Internet... you guessed it, bad checksum.

Oh, the IE revision is 10.00.9200.16384 or 10.00.9200.16798 depending on which one we are talking about.

Hello RalphMalph,

this is perhaps not a checksum issue, but first:

Maybe I didn't explain myself clearly.  I *AM* updating the checksum manually ...

Maybe it was me who didn't explain himself clearly :smileyhappy: - the alert just names the application but doesn't include the path AFAIK. One might think that adding the checksum locally is a no-brainer, but some applications have more than one executable (e.g. 32bit and 64bit version) which comes into question. Still this is not a big problem but it's easier to add the checksum from the alert on the console.

Anyway - The revision number in IE was not the same as reported by Sophos

Apparently the file executed was not the same for which you added the checksum. As the checksums "stick" (unless you remove them) once you've added them for all versions present it doesn't matter which one is called. Wonder from where iexplore.exe was picked up after you have renamed it (BTW: dunno about Windows 8 but IE is usually "protected" by the System File Checker and immediately restored if you rename or delete it).

Please make sure that the checksum recorded in the firewall log (Events +> New or modified application) is indeed in the list for iexplore.exe. if it is and it still doesn't work uncheck the option to make sure it's nothing some other issue (similar to the one in this post - though it shouldn't apply as Block hidden processes is Unavailable on Windows 8. Functionality is provided by HIPS - but who knows).

Christian

In my first post, "I have verified that I am updating the checksum from the app I am running."  I opened the shortcut and followed the path to find the executable which I then added to Sophos.  That was why I renamed the app.  When I renamed it I could no longer run it.  So that shows I have the correct executable. 

The checksum reported under Events is not the same as the checksum in the app list.  But I have no other way to add it than to use the provided tools which don't seem to get the correct checksum.  Is it possible that the executable is somehow modified when run so that the checksum changes?  The path being used is "C:\Program Files\Internet Explorer". 

I am using Firefox in the mean time and I have similar problems with Flash reporting a wrong checksum even after I have added it to the list and restarted the app.  I will check to make sure Flash exits once I close Firefox.

iexplore.exe is showing up as a "modified application".  What does that mean?  How could it be modified every time it is started? 

Flash player shows up as "New application".

I saw the other post before I started this thread.  When I "Allow all traffic" IE works ok. 

Hello RalphMalph,

modified application means that the application is already known (i.e. there are already one or more checksums listed) but the observed checksum is not on the list. Sysinternal's Process Explorer will show the image path for a specific process - as IE starts "itself" as child process there's usually more than one iexplore.exe running. 

Christian

That did the trick!  It showed there are TWO copies of IE running, one in Program Files and one in Program Files (x86).  Amazing...

That seems to have made it all work.  Thanks.  I think I'll be using this one more in the future.  :)