Hi all,since a few months we are facing heavy problems with our terminal server (rdsh) in combination with Sophos Intercept X Advanced and user profile disks.The User Profile Disk (UPDs) are stored on a normal file server and are accessed through a share.For about 2 years everything was running smoothly and stable. However, since a few months we are facing the problem that out of the blue the users lose the connection to their UPDs and therefore are disconnected from the server. Actually the entire server kind of freezes and we need to reboot it.After disabling most of the features of Sophos Intercept X the systems went back to normal.However, a few days ago we re-enabled all the security features and today we had another server crash.We are not sure which feature is causing the trouble. According to some research on the internet it could be the Sophos hitman.alert.pro feature.Any help to narrow down the problem would be greatly appreciated.Btw. all the servers are running Win Server 2019 with all the latest Windows updates and patches.Thanks in advance!Kind regards,Aktuator
If you think it has something to do with interceptx, then please try to run interceptx hotfix on the machine>restart then observe if problem would still persist:
If that won't work, then try assigning the machine to sophos Early Access Program.
It's a subcription to future sophos update but hasn't been rolled-out yet to the recommended/default update. If the issue is unusual, we recommend to try assigning the machine first on the list>save>then do sophos update afterwards. Check if problem would still persist.
If this post solves your question, please use the "Verify Answer" button.
Hi Fernan,Thank you for your quick reply!I will apply the hotfix and then observe if system will get back to stable again.However, I think I will also disable some intercept x features because there is always a high impact on the users every time the crash happens…. Every unsaved data is lost and users have to reboot, etc. That’s a lot of wasted time and we are talking about 30 to 50 users every time the error happens….The first time the problem occurred was in beginning of October. So I just had a look at the Intercept X version history to find out if there was a major update during that time. However, I can only find a history of the build numbers but no information about the date when they were released. Is there a way to find that out? Thanks again in advance!Kind regards,Aktuator
Please check this link for the dates interceptx has been updated. Go to the components tab:
I'm not seeing any update under October 2021 so I'm not really sure what caused this.
If interceptx hotfix and early access program won't work, then please message me directly so we can investigate further this issue.
Thank you Fernan –This was very helpful!I just double checked. The first time we had that problem was by middle/ end of September. The Intercept X / Hitman.pro version we are using at the moment was released in August. According to the Sophos homepage it can take a few weeks until the roll out of new version is complete. Therefore, the dates might match…. My gut feeling actually tells me that we finally found the problem now….That would be really great! :-)I will apply the hotfix in a few hours when the users aren’t logged in anymore and will keep you informed. However, sometimes the systems are running for a few days without any problems. So we need to monitor and be patient.
ok, I just installed the hotfix. Let's see if it helps....
I have another question though:
Could you please explain to me whats the difference between "Sophos Central Server Intercept X" and "Sophos Intercept X for Servers"? Actually we manage our Servers in central but we have Version 2.0.22 installed which is only availabe in "Intercept X for Servers".... confusing
Sophos Intercept X for Servers should be your current subcription for servers
I honestly can't find any info internally about "Sophos Central Server Intercept X"
Did you migrate your license from SEC onprem to central? did you previously upgrade your license?
OR what I'm thinking is You have an old license regarding server protection ONLY (no interceptx) sophos removed the protection only license and combined it already with interceptx.
the reason why I was asking is shown in the screenshot below.
However, your guess was right. We had an old license (purchased by end of 2019) and got automatically upgraded to interceptX
Probably a naming error on whoever created that release notes :)
Because the right name should be "Sophos Intercept X for Servers" is actually missing on the list as well. But it should be the same.
quick feedback. We installed the hotfix about 8 days ago and since then there was no more crash. So everyday we getting more and more confident that it solved our problem. However, we still need to wait and monitor a few more days. I will get back to you again.
Thanks and greetings
after 3 weeks without a server crash we can be pretty sure now that the hotfix solved our problem.
Fernan, you helped us really out here, excellent support! Thanks again heaps!
I'm glad its now working on your end :)
bad news....we had another crash today :-(
I think this needs to be escalated now.
How often does the crash happen?
Here's my recommendation:
open this KB and follow the instructions on how to setup/get procdump on the machine the next time the crash happens
After the crash happens, generate SDU logs on the machine.
Then please contact now our supportline and give them the 2 files (procdump and SDU) so support can escalate the issue.
Hi Fernan,the servers were already configured to create a complete memory dump when the crash happens. However, the problem is that the dump files never get created.I think the reason is that the server doesn't get a BSOD, it is more like all the network connections are disconnected and the server is still running but isolated from the network. It is really a weird problem and feels like a dead endBefore we installed the hotfix the servers crashed about once or twice a week.When we disable most of the Sophos features the servers don't crash anymore.
We are running out of options on this case. Please check my reply on this thread 25 days ago on how to assign the affected machine to sophos early access program.
Try assigning the machine first on the list>save>then do sophos update afterwards then restart the machine. Check if problem would still persist.
IF problem persist then generate SDU logs on the machine and try to contact our supportline so then can escalate this issue.
I'm honestly not sure if SDU would be enough as procdump is really needed. Process monitor won't help on this scenario as well as the crash happens randomly.