This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office 365 Apps (Word) issues saving since 2.20.4.1 update

We have a number of users who have started reporting problems saving documents from Microsoft Word since 18th November.

  • Our RMM tool reported Sophos was updated to 2.20.4.1 on 18th November
  • Users started reporting problems with MS Word on the 18th November (various errors, permissions, document not found)
  • The SophosAmsiProtection.log is also full of errors - SINCE the 18th November

2021-11-18T10:57:01.989Z [11544:11328] W Failed to convert paths to their final path. Clean-up for this AMSI scan may fail. Error: Failed to open file : The system cannot find the path specified. (3)
2021-11-18T10:57:02.523Z [11544:11328] W Failed to convert paths to their final path. Clean-up for this AMSI scan may fail. Error: Failed to open file : The system cannot find the path specified. (3)

Documents are impacted opening from Sharepoint or Local, or saving local or remote.

This is the only correlation we can find.

Another user who started reporting issues on the 19th November, had their Sophos endpoint updated to 2.20.4.1 on the 19th November.

Are there any outstanding bugs?

As a test - we have disabled ASMI Protection for this user. We will also see if we can disable endpoint protection on a known trusted document (temporarily) to reproduce or resolve the issue by having Sophos disabled.

We will also raise a ticket.



This thread was automatically locked due to age.
Parents
  • To narrow down the issue a bit further, I'd recommend trying to turn off the following 2 features in the Threat Protection Policy to see if they’re also playing a part in things. 

    - Real-time Scanning - Local Files and Network Shares  > Remote files
    - Runtime Protection > Protect from remotely run ransomware

    If disabling either of these options allows the saving of files to work normally, I'd recommend inquiring with support to see if further investigation can be done to resolve the issue. 

    An additional step you can try (if the remotely run ransomware option turned off returns good results) is deploying the Hotfix for Intercept X when re-enabling the feature. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • To narrow down the issue a bit further, I'd recommend trying to turn off the following 2 features in the Threat Protection Policy to see if they’re also playing a part in things. 

    - Real-time Scanning - Local Files and Network Shares  > Remote files
    - Runtime Protection > Protect from remotely run ransomware

    If disabling either of these options allows the saving of files to work normally, I'd recommend inquiring with support to see if further investigation can be done to resolve the issue. 

    An additional step you can try (if the remotely run ransomware option turned off returns good results) is deploying the Hotfix for Intercept X when re-enabling the feature. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Thanks, I’ll give that a try. In the event Ransomware protection or Remote file scanning is causing issues, would that reveal itself in the SEP logs?

    We have a custom threat protection policy for this user with AMSI off. Depending on results, we can further disable the options you suggest. Alternatively, we can do a complete reinstall. 

    The AMSI logs certainly suggest something is wrong, it’s unclear whether this is the cause or a symptom!

  • You may be able to get additional information returned by enabling verbose logging for the SAVService.

    For Intercept X, the logging information may be a bit more limited, the most information can be found when a detection is raised. The process trace will be defined in the Event Viewer logs (Event ID 911). 

    Were you able to test either of the component isolations mentioned? 

    I suspect what you're seeing in the AMSI log is a symptom, but is also likely the reason you’re running into this problem. It looks like the actual location of the saved file can not be determined. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids