On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.
One error per minute.
Fehler 04.03.2021 12:24:36 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:23:33 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:22:30 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:21:27 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:20:24 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:19:21 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:18:18 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:17:15 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:16:12 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:15:09 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:14:06 Kernel-EventTracing 2 Sitzung Fehler 04.03.2021 12:13:03 Kernel-EventTracing 2 Sitzung
Fehler 04.03.2021 10:44:40 Kernel-EventTracing 2 Sitzung
Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.
Provider
[ Name] Microsoft-Windows-Kernel-EventTracing
[ Guid] {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}
EventID 2
Version 0
Level 2
Task 2
Opcode 12
Keywords 0x8000000000000010
- TimeCreated
[ SystemTime] 2021-03-04T09:44:40.335409100Z
EventRecordID 217122
Correlation
- Execution
[ ProcessID] 3032
[ ThreadID] 13104
Channel Microsoft-Windows-Kernel-EventTracing/Admin
Computer Exchangeserver.localdomain.de
tasklist |find "3032"
SophosNtpService.exe 3032 Services 0 29.904 K
This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server
What's the root cause?
i-X Versions:
Hi LHerzog
Error : Session "" failed to start with the following error: 0xC0000022 | Source: Kernel-EventTracing | Event ID: 2 |Level: Error |
From reviewing the logs and seeing the error, It seems that it is not a Sophos issue, but one that is outlined in the following KB by Microsoft. Let me know if it helps. https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/kernel-event-id-2-msft-netLbfoteamnic-class
Shweta
Shweta my I know why instaling Sophos Endpoint is causing this? MS is suggesting the following:
Takeown /f c:\windows\inf icacls c:\windows\inf /grant "NT AUTHORITY\NETWORK SERVICE":"(OI)(CI)(F)" icacls c:\windows\inf\netcfgx.0.etl /grant "NT AUTHORITY\NETWORK SERVICE":F icacls c:\windows\inf\netcfgx.1.etl /grant "NT AUTHORITY\NETWORK SERVICE":F These commands grant the necessary file permissions to prevent the error logging in this scenario.
btw: changing the permissions of the files as suggested by MS does not fix the errors. Even after a reboot.
The administrative events view in Windows eventlogs is really useless now because it is flooded by this junk.
Please Sophos suggest something to get rid of this. As stated, it is caused by SophosNtpService.exe