New Sophos update unpleasantness

[dales]

Hi all,

Just thought I'd give you all a heads up, since monday when a new update of sophos has been rolled out over the our network we have some users that are reporting that explorer.exe will randomly crash due to DEP kicking in. I'm one of the people affected, I thought it was just me to start with but when users started trickling in calls to me with the same problem it became clear that it was not just me needing to clean up.

The problem isnt specific to a service pack as I am running xp pro sp 3 most other users are sp1 or sp2 (no auto patch management here) so it purely seems to be a problem with out AV.

Just to let you know incase any of you are scratching your head, also check out this EE thread which suggests a workaround but I'd rather wait out to find the cure.

http://www.experts-exchange.com/OS/M..._23778594.html

[Qs]

So that's what the damn thing is! We also use Sophos and have had a few users reporting problems.

Rep given matey! Saved me going hunting!

Qs

[UKDarkstar]

I was a SOPHOS Partner for many years but gave it up in 2007 due to continued issues like this and the fact they seemed to be going more "Enterprise" in their outlook.

We switched to ESET with NOD32 and didn't have as many problems with clients.

[zebulebu]

Sophos blows - end of.

Worst Enterprise AV vendor I've ever used.

McAfee destroys Sophos in effectiveness, ease of management, robustness and reliability. I've always used Trend at a gateway level and McAfee internally - though a lot of people I know use NOD and Kaspersky and swear by them.

[dales]

got an email back from sophos not really a fix but might be of help:

Hi Dale,

Part of the recent update included a web content scanner BHO.

Can you turn off the Web Content Scanner to see if this helps?

To do this, in IE go to tools-->manage add-ons-->click sophos web content scanner and disable it.

Let me know if it helps.

All the best

Donald Tibbetts


I've applied it to my machine to see if it helps so i'll let you know how I get on.

[Qs]

Quote:

Originally Posted by dales

got an email back from sophos not really a fix but might be of help:

Hi Dale,

Part of the recent update included a web content scanner BHO.

Can you turn off the Web Content Scanner to see if this helps?

To do this, in IE go to tools-->manage add-ons-->click sophos web content scanner and disable it.

Let me know if it helps.

All the best

Donald Tibbetts


I've applied it to my machine to see if it helps so i'll let you know how I get on.

I'll do it also. Will update the thread if I find anything else out.

Qs

[Modey]

Quote:

Originally Posted by zebulebu

Sophos blows - end of.

Worst Enterprise AV vendor I've ever used.

McAfee destroys Sophos in effectiveness, ease of management, robustness and reliability. I've always used Trend at a gateway level and McAfee internally - though a lot of people I know use NOD and Kaspersky and swear by them.

Yup, we ditched a Sophos about 18months ago and have never looked back. We use Panda AV now and it's much much better, but that wouldn't be difficult compared to Sophos.

It was the enterprise oriented version we were using btw.

[Sparky]

Good time to migrate over to NOD32

[dales]

To be fair this is the first problem sophos has given us apart from that its just worked. I do remember a couple of jobs ago that sophos used to be quite a regular thing to be called out for mind you!

[GoodApollo]

Quote:

Originally Posted by dales

got an email back from sophos not really a fix but might be of help:

Hi Dale,

Part of the recent update included a web content scanner BHO.

Can you turn off the Web Content Scanner to see if this helps?

To do this, in IE go to tools-->manage add-ons-->click sophos web content scanner and disable it.

Let me know if it helps.

All the best

Donald Tibbetts


I've applied it to my machine to see if it helps so i'll let you know how I get on.

And here is the KB Article that confirms you are correct Dales. Initially, we thought it was a MS update that was causing DEP to crash explorer.exe

[KK20]

I registered to add my agreement (was googling for DEP and sophos - I had an idea it was sophos)

We developed DEP explorer problems on our network this week. I run a very tight ship (a school). All users & machines locked down, no auto updates on programs OTHER than sophos. MS updates pushed from our server, software installed by GPO so I knew it wasnt another update or piece of software since sophos was the only piece of software that has updated this week. Users have no rights to install their own software. New devices are banned so USB pens dont work.

Plus - this weeks sophos update required a restart.

Do you have a link to the sophos KB article?

edit: found it http://www.sophos.com/support/knowle...cle/46484.html

[KK20]

from sophos:


Thought I'd give you an update on this.

PROBLEM:

As per:
Sophos Anti-Virus for Windows 2000+: Data Execution Prevention message displayed when closing Windows Explorer

WORKAROUNDS:

As well as the three solutions outlined in this article (1. disable the scanner locally, machine by machine, 2. disable the scanner globally using a domain group-policy, or 3. stop Explorer.exe from loading the Sophos Web Content Scanner),

- there's now a fourth option, a special 'RC2' build of Sophos Anti-Virus that comes with the web-scanner switched OFF by default. I'd recommend this one over the previous 3. You need to set EMLibrary to download it, as follows:

1) 'Select parent' in the EMLibrary Console needs to be set to 'es-central-3...' , not es-latest-3.... (choose it from the drop-down 'select parent' menu - your normal credentials should work).

2) Under the 'select packages' menu, select either :
(i) 'Windows Endpoint Security and Control 8.0 with SAV 7.6.0 RC2 VDL4.34E' , or
(ii) 'Sophos Anti-Virus for Windows 7.6.0 RC2 VDL4.34E'

- the 'RC2' in the name means it's the special build.

If you unsubscribe from your 'normal' SAV / Endpoint Security package BEFORE subscribing to the RC2 version, then you'll be able to download the RC2 into your usual Central Installation Directory, and your client PCs will update to it automatically.

Alternatively, specify a different CID, then change the client-PCs' updating policy accordingly.

Hope this helps.

Simon B.
Sophos Technical Support, Abingdon.
Contact Sophos technical support - Enterprise solutions

[MLP]

Thanks for this! I got this error on a machine just before leaving work today. I was just about to spend my evening searching for a fix, so you've saved my evening. Can play Halo 3 all night instead!

Rep Given.

Maria