3CX DLL-Sideloading attack: What you need to know
Hi all,since a few months we are facing heavy problems with our terminal server (rdsh) in combination with Sophos Intercept X Advanced and user profile disks.The User Profile Disk (UPDs) are stored on a normal file server and are accessed through a share.For about 2 years everything was running smoothly and stable. However, since a few months we are facing the problem that out of the blue the users lose the connection to their UPDs and therefore are disconnected from the server. Actually the entire server kind of freezes and we need to reboot it.After disabling most of the features of Sophos Intercept X the systems went back to normal.However, a few days ago we re-enabled all the security features and today we had another server crash.We are not sure which feature is causing the trouble. According to some research on the internet it could be the Sophos hitman.alert.pro feature.Any help to narrow down the problem would be greatly appreciated.Btw. all the servers are running Win Server 2019 with all the latest Windows updates and patches.Thanks in advance!Kind regards,Aktuator
If you think it has something to do with interceptx, then please try to run interceptx hotfix on the machine>restart then observe if problem would still persist:
If that won't work, then try assigning the machine to sophos Early Access Program.
It's a subcription to future sophos update but hasn't been rolled-out yet to the recommended/default update. If the issue is unusual, we recommend to try assigning the machine first on the list>save>then do sophos update afterwards. Check if problem would still persist.
If this post solves your question, please use the "Verify Answer" button.
Hi Fernan,Thank you for your quick reply!I will apply the hotfix and then observe if system will get back to stable again.However, I think I will also disable some intercept x features because there is always a high impact on the users every time the crash happens…. Every unsaved data is lost and users have to reboot, etc. That’s a lot of wasted time and we are talking about 30 to 50 users every time the error happens….The first time the problem occurred was in beginning of October. So I just had a look at the Intercept X version history to find out if there was a major update during that time. However, I can only find a history of the build numbers but no information about the date when they were released. Is there a way to find that out? Thanks again in advance!Kind regards,Aktuator
Please check this link for the dates interceptx has been updated. Go to the components tab:
I'm not seeing any update under October 2021 so I'm not really sure what caused this.
If interceptx hotfix and early access program won't work, then please message me directly so we can investigate further this issue.
Thank you Fernan –This was very helpful!I just double checked. The first time we had that problem was by middle/ end of September. The Intercept X / Hitman.pro version we are using at the moment was released in August. According to the Sophos homepage it can take a few weeks until the roll out of new version is complete. Therefore, the dates might match…. My gut feeling actually tells me that we finally found the problem now….That would be really great! :-)I will apply the hotfix in a few hours when the users aren’t logged in anymore and will keep you informed. However, sometimes the systems are running for a few days without any problems. So we need to monitor and be patient.
ok, I just installed the hotfix. Let's see if it helps....
I have another question though:
Could you please explain to me whats the difference between "Sophos Central Server Intercept X" and "Sophos Intercept X for Servers"? Actually we manage our Servers in central but we have Version 2.0.22 installed which is only availabe in "Intercept X for Servers".... confusing
Sophos Intercept X for Servers should be your current subcription for servers
I honestly can't find any info internally about "Sophos Central Server Intercept X"
Did you migrate your license from SEC onprem to central? did you previously upgrade your license?
OR what I'm thinking is You have an old license regarding server protection ONLY (no interceptx) sophos removed the protection only license and combined it already with interceptx.
the reason why I was asking is shown in the screenshot below.
However, your guess was right. We had an old license (purchased by end of 2019) and got automatically upgraded to interceptX
Probably a naming error on whoever created that release notes :)
Because the right name should be "Sophos Intercept X for Servers" is actually missing on the list as well. But it should be the same.
quick feedback. We installed the hotfix about 8 days ago and since then there was no more crash. So everyday we getting more and more confident that it solved our problem. However, we still need to wait and monitor a few more days. I will get back to you again.
Thanks and greetings
after 3 weeks without a server crash we can be pretty sure now that the hotfix solved our problem.
Fernan, you helped us really out here, excellent support! Thanks again heaps!
I'm glad its now working on your end :)
bad news....we had another crash today :-(