On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.
One error per minute.
Fehler 04.03.2021 12:24:36 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:23:33 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:22:30 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:21:27 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:20:24 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:19:21 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:18:18 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:17:15 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:16:12 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:15:09 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:14:06 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:13:03 Kernel-EventTracing 2 Sitzung
Fehler 04.03.2021 10:44:40 Kernel-EventTracing 2 Sitzung
Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.
Provider
[ Name] Microsoft-Windows-Kernel-EventTracing
[ Guid] {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}
EventID 2
Version 0
Level 2
Task 2
Opcode 12
Keywords 0x8000000000000010
- TimeCreated
[ SystemTime] 2021-03-04T09:44:40.335409100Z
EventRecordID 217122
Correlation
- Execution
[ ProcessID] 3032
[ ThreadID] 13104
Channel Microsoft-Windows-Kernel-EventTracing/Admin
Computer Exchangeserver.localdomain.de
tasklist |find "3032"
SophosNtpService.exe 3032 Services 0 29.904 K
This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server
What's the root cause?
i-X Versions:
Hi LHerzog
Error : Session "" failed to start with the following error: 0xC0000022 | Source: Kernel-EventTracing | Event ID: 2 |Level: Error |
From reviewing the logs and seeing the error, It seems that it is not a Sophos issue, but one that is outlined in the following KB by Microsoft. Let me know if it helps. https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/kernel-event-id-2-msft-netLbfoteamnic-class
Shweta
Hi,
this issue is exclusively caused by the PID of the Sophos process: SophosNtpService.exe
I don't think this is a Microsoft issue. Maybe SophosNtpService triggering some Windows component or itself acting like a teaming device?
This is a standard VM with no teaming, just a virtual vmxnet3 adapter.
I am getting this on my server 2012 R2 systems as well. Any progress on this problem? I first noticed it on some servers which used MS Network Load Balancing, but I see it on others that don't have this. All instances seem to have started on 3/7 in the early afternoon.
Hi Moltron5k about the Start Date of the issue - in our case it is limited by the default size of the eventlog that contains them. it's only 1MB. It may have been there much longer.
LHerzog, I had that suspicion. I restored an event file from a few weeks ago and yup its full of those events. So, nothing new. Thought it was because this is a newer thread, and it was just coincidence on our side we had an application issue start around the same time as the oldest entry of these logs. Also, I don't see this happening on any 2019 servers.
Shweta my I know why instaling Sophos Endpoint is causing this? MS is suggesting the following:
Takeown /f c:\windows\inf icacls c:\windows\inf /grant "NT AUTHORITY\NETWORK SERVICE":"(OI)(CI)(F)" icacls c:\windows\inf\netcfgx.0.etl /grant "NT AUTHORITY\NETWORK SERVICE":F icacls c:\windows\inf\netcfgx.1.etl /grant "NT AUTHORITY\NETWORK SERVICE":F These commands grant the necessary file permissions to prevent the error logging in this scenario.
btw: changing the permissions of the files as suggested by MS does not fix the errors. Even after a reboot.
The administrative events view in Windows eventlogs is really useless now because it is flooded by this junk.
Please Sophos suggest something to get rid of this. As stated, it is caused by SophosNtpService.exe