Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 16 subscribers
  • Views 5282 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

InterceptX and Citrix Virtual Apps and Desktop (Daas) 7.15 lTSR

Matthew Sherman1

Since we've switched from SEP to Sophos. We've had many random issues with users connecting and receiving various connecting errors. I know that this is a Sophos issue because I removed Sophos from all of our Citrix VDAs and all problems go away. last night I added Sophos back to 2 of our 6 VDAs and all of today's errors are from the 2 that have Sophos installed

I added all of the exclusions recommended by Citrix from the following link, even the one that don't apply to our environment. I made sure that the policy applied to the 2 servers that have Sophos installed. 

https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html

Lastly, we are using UPM (profile management) so I attempted to disable the following scan, but the registry entry does not exist in our environment 

https://support.citrix.com/article/CTX238012

I'm sure I can't be the only person experiencing this issue. 

Any assistance would be greatly appreciated.

Matthew Sherman



This thread was automatically locked due to age.
Parents
  • 0

    since our customers got the new Sophos architecture we have similar trouble.

    Our Citrix Servers Windows 2019 1912CU5LTSR are not able to unload profiles. NTUser.dat and other Profile files stay opened until the next reboot.

    After 2-3 Days uptime the Server get unresponsive and must get an reset.

    Citrix Session get unexpectly disconnected.

    I have raised a ticket by the global support and hope to get a solution for this.

  • +1 in reply to DennySchneider

    Excluding the profilemanager process and the gpo - Computer Configuration > Administrative Templates > System > Group Policy > Continue experiences on this device

    was the solution for us!

Reply Children
  • 0 in reply to DennySchneider

    Thanks for the feedback! I've shared this with our team to help with our investigation.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to DennySchneider

    Sorry quick question but how did you exclude a GPO?

  • 0 in reply to Christian Eichinger

    Exclude the profilemanager and ADD the GPO ........

  • 0 in reply to DennySchneider

    I believe the key thing is to exclude UserProfileManager.exe first as real-time process scanning exclusion.  This ensures that processes under the user profiles launch OK. 

    To ensure the profiles are cleared up on session exit, you have to exclude UserProfileManager.exe again as a process in the hashing exclusions as well.  This is one of the exclusion types in the drop down. 

    I suspect the GPO mentioned just prevents one process and one log from persisting but the 2 exclusions should resolve both issues.

    When I looked into this, I saw there were 4 handles for each of the remaining files that couldn't be removed due to a sharing violation according to the log file of UserProfileManager.exe. These handles are open by the System process so you would therefore expect a driver to have left the handles open.  Unloading SophosED.sys driver from the system process did not free these handles so I suspect upmjit.sys could be the issue, and a handle trace shows this is the driver that opened up the handles that remain open as part of work done by UserProfileManager.exe.

    Does this help?

  • 0 in reply to Sophos User930

    I am curious to know if others found having these 2 exclusion helps. It would confirm my setup.  Thanks.

    Confirm that the policy has arrived by checking:

    OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config contains UserProfileManager.exe

    JournalExcludeHashingProcessFilePaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Config contains UserProfileManager.exe

    The full path to the exe should probably be used so please adjust.

    --

    Then in C:\Windows\System32\LogFiles\UserProfileManager\[logname]_pm.log

    Hopefully there are no more messages like the following at log-off:

    ERROR;;;;6376;DeleteAnyFile: Deleting the file <C:\Users\testuser3\ntuser.ini> failed with: The process cannot access the file because it is being used by another process.

    INFORMATION;QACITRIX;testuser3;6;11260;ProcessLogoff: Failed to delete the locally cached user profile. Added it to the pending delete list: C:\Users\testuser3

    Thanks.

  • 0 in reply to Sophos User930

    Hi,

    is the "hashing exclusion" necessary?

    We added only "process(windows)" exclusion type.

  • 0 in reply to Rho82

    Did you have any issues with user profile directories being cleaned up on the server when sessions disconnect/logoff? e.g. "C:\users\user1\".

    If not, I guess it doesn't matter for you. 

    The hashing exclusions only make sense if journaling is enabled on the computer.  It will be, if the Enable DWORD  is set to 1 under any of the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\FIM

    If only one of the above is enabled then journaling is enabled.  If all are Enable = 0 then it wouldn't matter about the hashing exclusions. Thanks.

Unfiltered HTML