This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

InterceptX and Citrix Virtual Apps and Desktop (Daas) 7.15 lTSR

Since we've switched from SEP to Sophos. We've had many random issues with users connecting and receiving various connecting errors. I know that this is a Sophos issue because I removed Sophos from all of our Citrix VDAs and all problems go away. last night I added Sophos back to 2 of our 6 VDAs and all of today's errors are from the 2 that have Sophos installed

I added all of the exclusions recommended by Citrix from the following link, even the one that don't apply to our environment. I made sure that the policy applied to the 2 servers that have Sophos installed. 

https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html

Lastly, we are using UPM (profile management) so I attempted to disable the following scan, but the registry entry does not exist in our environment 

https://support.citrix.com/article/CTX238012

I'm sure I can't be the only person experiencing this issue. 

Any assistance would be greatly appreciated.

Matthew Sherman



This thread was automatically locked due to age.
Parents Reply Children
  • Exclude the profilemanager and ADD the GPO ........

  • I believe the key thing is to exclude UserProfileManager.exe first as real-time process scanning exclusion.  This ensures that processes under the user profiles launch OK. 

    To ensure the profiles are cleared up on session exit, you have to exclude UserProfileManager.exe again as a process in the hashing exclusions as well.  This is one of the exclusion types in the drop down. 

    I suspect the GPO mentioned just prevents one process and one log from persisting but the 2 exclusions should resolve both issues.

    When I looked into this, I saw there were 4 handles for each of the remaining files that couldn't be removed due to a sharing violation according to the log file of UserProfileManager.exe. These handles are open by the System process so you would therefore expect a driver to have left the handles open.  Unloading SophosED.sys driver from the system process did not free these handles so I suspect upmjit.sys could be the issue, and a handle trace shows this is the driver that opened up the handles that remain open as part of work done by UserProfileManager.exe.

    Does this help?

  • I am curious to know if others found having these 2 exclusion helps. It would confirm my setup.  Thanks.

    Confirm that the policy has arrived by checking:

    OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config contains UserProfileManager.exe

    JournalExcludeHashingProcessFilePaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Config contains UserProfileManager.exe

    The full path to the exe should probably be used so please adjust.

    --

    Then in C:\Windows\System32\LogFiles\UserProfileManager\[logname]_pm.log

    Hopefully there are no more messages like the following at log-off:

    ERROR;;;;6376;DeleteAnyFile: Deleting the file <C:\Users\testuser3\ntuser.ini> failed with: The process cannot access the file because it is being used by another process.

    INFORMATION;QACITRIX;testuser3;6;11260;ProcessLogoff: Failed to delete the locally cached user profile. Added it to the pending delete list: C:\Users\testuser3

    Thanks.

  • Hi,

    is the "hashing exclusion" necessary?

    We added only "process(windows)" exclusion type.

  • Did you have any issues with user profile directories being cleaned up on the server when sessions disconnect/logoff? e.g. "C:\users\user1\".

    If not, I guess it doesn't matter for you. 

    The hashing exclusions only make sense if journaling is enabled on the computer.  It will be, if the Enable DWORD  is set to 1 under any of the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\FIM

    If only one of the above is enabled then journaling is enabled.  If all are Enable = 0 then it wouldn't matter about the hashing exclusions. Thanks.