Starting Dec 21st we started seeing a tremendous amount of errors on both our Server Infrastructure and Endpoint devices. This created issues with certain .NET related applications on end users workstations that required restarting various applications. One application particularly troublesome was Mimecast For Outlook. Upon investigating we found that the only resolution to fix these errors was to completely remove Sophos (obviously that's not a solution nor a risk we're willing to take).
Sample Errors -
28-12-2020 09:07:41,964 ERROR [12] HOST: Domain Unhandled Exception: System.IO.IOException: The pipe is being closed. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.Pipes.NamedPipeServerStream.BeginWaitForConnection(AsyncCallback callback, Object state) at System.IO.Pipes.NamedPipeServerStream.WaitForConnection() at Mimecast.Mapi.Remote.NamedPipesServer.AcceptPipeConnection(IAsyncResult asyncResult) at System.IO.Pipes.NamedPipeServerStream.AsyncWaitForConnectionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOverlapped) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP). IsTerminating: True (Program)
Message=Application: msddsk.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.IOException at System.IO.__Error.WinIOError(Int32, System.String) at System.IO.Pipes.PipeStream.WinIOError(Int32) at System.IO.Pipes.NamedPipeServerStream.GetImpersonationUserName() at Mimecast.Mapi.Remote.NamedPipesServer.AcceptPipeConnection(System.IAsyncResult) at System.IO.Pipes.NamedPipeServerStream.AsyncWaitForConnectionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
Is anyone else seeing this? We'll certainly open a Ticket with support but wanted to also understand the scope.
Hello. We have also observed the same behavior within our organization. The Mimecast for Outlook plugin specifically crashes and provides logs just like ignitor's.
After doing some sleuthing, it appears…
Hi DrewbleIT,
Thank you for reaching us out, By any chance what was the OS of those machines where you observed this? can you share some event logs? Also any errors being observed on endpoint level?
Good evening,
The logs noted are at the endpoint level. However we also see broken pipes with MS Exchange and other .net apps.
Win 10
Server 12'/16'
We are also enrolled in the EAP.
We did also open a case which i can share if it would be helpful.
Hi DrewbleIT
Could you please PM me the case number that you have already registered?
Shweta
By the way, systems impacted are both EAP and non-EAP. Stopping sophos services also helps instead of completely removing.
After doing some sleuthing, it appears that the Sophos.Encryption.BitLockerService.exe is using up specific resources that is killing the Mimecast plugin. I have opened a support case with Mimecast, but their solution is to remove or stop Sophos which we obviously do not want to do. I will open a support case with Sophos with more findings.
We'll test stopping the Sophos.Encryption.BitLockerService.exe internally to help confirm.
Justin Rutkowski Here's the odd thing for us. This is impacting servers as well and servers do not have Sophos.Encryption.BitLockerService.exe to my knowledge.
Justin Rutkowski - Are you by chance a Sophos MTR Customer?
Sophos Support Case 03493304 if needed by members of support. Yes we are MTR Customers.
In my testing it appeared to be this service that was the cause of the error: Sophos Device Encryption Service (it calls upon the Sohops.Encryption.BitlockerService.exe I listed above). I set the service to Manual instead of Automatic Delayed Start, and while Sophos freaked out, I did not receive the Mimecast error. Looks like this service is running/set to Automatic Delayed Start even if the device is not configured with Sophos Bitlocker encryption.
Can you give this a try as well? Disable the MTR service. We had to do this on the server side and are currently testing the workstation side. I currently believe it's the MTR service but we are testing both!