Realtime protection seems to cause Outlook crash

Hello,

after updating the Sophos Central Enpoint Agent and rebooting the client, Outlook is crashing right after startup.

This problem occurred on several clients.

After a while of testing, I found out that the real-time protection is causing the issue.

When the service is disabled, Outlook works fine.

Also, I just disabled the Remote Files option in the central policy, applied it and Outlook functions as normal with real-time protection turned on.

OS: Windows 10 Pro (Build 19044.1645)

Endpoint Agent Version:

Core Agent: 2.20.13 (2.20.11 as well)

Endpoint Advanced: 10.8.11.4

Sophos Intercept X: 2.0.24

License: Intercept X Advanced with XDR

Installed Office 64-Bit: Microsoft 365 Apps for Enterprise (Version 2203 Build 16.0.15028.20228)

Is someone having the same issue?

Kind regards

Tobias

Parents
  • Same problem here too. We had a custom DLP policy, we removed all users from it so they went back to the default/baseline DLP policy (that wasn't configured) and that seems to have resolved our issue for now. We logged with Sophos who asked us to run a diagnostics tool on one of our machines but the workaround was already in place at this point and it wasn't impacting everyone for some reason - I couldn't replicate it on my own machine/profile. People who had issues opening Outlook also had issues downloading files via Chrome/IE.

    I've asked support if it's a known issue and if a fix is on the way but not heard back, also pointed them in the direction of this thread showing others having the same issue.

  • I had a call from a Sophos technician who told me that this is in fact a known issue, that will be fixed in an upcoming release.

    A temporary workaround is disabling DLP or use the Workaround from and exclude \\server\\PIPE\srvsvc.

Reply Children
  • But would that be for all possible values of "\\server"?  Do we need to add an exception for all file servers and DCs on the network?

  • Hi,

    do yourself a favour and create a new Threat Protection Policy to and change under Real-Time-Scan local and network on "local".
    You find the settings under "Server Protection default settings". You have to disable the checkbox "Enable all Server Protection default features".
    And if this doesn't help consider to disable "Deep Learning". (Edit: I also had to disable "Deep Learning" on the Terminals of a customer to fix the latest performance issues, in this case I am thinking it is more the fault of the cusotmer then of Sohos.) Here a picture:

  • I guess it would be for any servers outlook.exe accesses over UNC.  I assume it maybe just the server where the user stores their files?  Maybe a couple of file servers?  If there are too many remote files would do it and it should just be for a couple of weeks I understand until the next release.

    If the user opens the file save as, open dialog, then this could reference any file servers?