Since we've switched from SEP to Sophos. We've had many random issues with users connecting and receiving various connecting errors. I know that this is a Sophos issue because I removed Sophos from all of our Citrix VDAs and all problems go away. last night I added Sophos back to 2 of our 6 VDAs and all of today's errors are from the 2 that have Sophos installed
I added all of the exclusions recommended by Citrix from the following link, even the one that don't apply to our environment. I made sure that the policy applied to the 2 servers that have Sophos installed.
https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html
Lastly, we are using UPM (profile management) so I attempted to disable the following scan, but the registry entry does not exist in our environment
https://support.citrix.com/article/CTX238012
I'm sure I can't be the only person experiencing this issue.
Any assistance would be greatly appreciated.
Matthew Sherman
since our customers got the new Sophos architecture we have similar trouble.
Our Citrix Servers Windows 2019 1912CU5LTSR are not able to unload profiles. NTUser.dat and other Profile files stay opened until the next reboot.
After 2-3 Days uptime the Server get unresponsive and must get an reset.
Citrix Session get unexpectly disconnected.
I have raised a ticket by the global support and hope to get a solution for this.
Excluding the profilemanager process and the gpo - Computer Configuration > Administrative Templates > System > Group Policy > Continue experiences on this device
was the solution for us!
Thanks for the feedback! I've shared this with our team to help with our investigation.
Sorry quick question but how did you exclude a GPO?
Exclude the profilemanager and ADD the GPO ........
I believe the key thing is to exclude UserProfileManager.exe first as real-time process scanning exclusion. This ensures that processes under the user profiles launch OK.
To ensure the profiles are cleared up on session exit, you have to exclude UserProfileManager.exe again as a process in the hashing exclusions as well. This is one of the exclusion types in the drop down.
I suspect the GPO mentioned just prevents one process and one log from persisting but the 2 exclusions should resolve both issues.
When I looked into this, I saw there were 4 handles for each of the remaining files that couldn't be removed due to a sharing violation according to the log file of UserProfileManager.exe. These handles are open by the System process so you would therefore expect a driver to have left the handles open. Unloading SophosED.sys driver from the system process did not free these handles so I suspect upmjit.sys could be the issue, and a handle trace shows this is the driver that opened up the handles that remain open as part of work done by UserProfileManager.exe.
Does this help?
I am curious to know if others found having these 2 exclusion helps. It would confirm my setup. Thanks.
Confirm that the policy has arrived by checking:OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config contains UserProfileManager.exe
JournalExcludeHashingProcessFilePaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Config contains UserProfileManager.exe
The full path to the exe should probably be used so please adjust.
--
Then in C:\Windows\System32\LogFiles\UserProfileManager\[logname]_pm.log
Hopefully there are no more messages like the following at log-off:
ERROR;;;;6376;DeleteAnyFile: Deleting the file <C:\Users\testuser3\ntuser.ini> failed with: The process cannot access the file because it is being used by another process.
INFORMATION;QACITRIX;testuser3;6;11260;ProcessLogoff: Failed to delete the locally cached user profile. Added it to the pending delete list: C:\Users\testuser3
Thanks.
Hi,
is the "hashing exclusion" necessary?
We added only "process(windows)" exclusion type.
Did you have any issues with user profile directories being cleaned up on the server when sessions disconnect/logoff? e.g. "C:\users\user1\".If not, I guess it doesn't matter for you.
The hashing exclusions only make sense if journaling is enabled on the computer. It will be, if the Enable DWORD is set to 1 under any of the following:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\COREHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDRHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCAHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\FIMIf only one of the above is enabled then journaling is enabled. If all are Enable = 0 then it wouldn't matter about the hashing exclusions. Thanks.