For a couple of weeks we had a problem on just 3-4 of our Windows 10 computers where they would randomly not process PDFs uploaded to SRFax.com. You select the pdf from your computer and it would just spin in the browser as "processing" and after quite a while just fail. To make a long troubleshooting story short, it looks like the cause of this issue was the Intercept X client. As soon as it's uninstalled, the problem goes away, all uploaded PDFs process normally. I had checked all the Intercept X logs and not seen any activity related to these computers or SRFax so I had dismissed it as a cause early on. When I began to suspect Intercept X, I even tried the 4 hour bypass and the problem still persisted, it's only when fully uninstalled that the problem goes away. We have been running Intercept X now for months and it's only in the last 2 weeks at one office that this started happening.
If anybody has any ideas, let me know. I want to get the client reinstalled on these computers of course but the staff can't function with this issue. The only thing I can do now is maybe do a clean install of Window 10 on these computers and then try Intercept X again and see what happens, maybe just some random corruption?
Thanks for reaching out to the Sophos Community Forum.
When you selected the 4-hour policy override, did you try turning off all scanning features? Is there anything else on the network that's performing network filtering in addition to Sophos installed on the endpoints?
If component isolation did not yield better results, you could also try driver isolation using the following steps. This will isolate the Intercept X/HitmanPro driver specifically.
HMPA Isolation:a) Access the Services and stop then disable the following service:HitmanPro.Alert serviceb) Access the following folder: C:\Windows\System32\c) Rename hmpalert.dll to hmpalert.origd) Access the following folder: C:\Windows\SysWOW64\e) Rename hmpalert.dll to hmpalert.origf) Reboot the computer
I did not disable any scanning features when I tried the override. Nothing else should be filtering and the only change we had made to security in the last year was the Intercept X client but it had been running for months before this issue started. So if I do the driver isolation for the HitmanPro driver, that will basically just tell me if it's Hitman causing the problem, correct? I have not had time to get back on this yet but I'll try a reinstall and isolation soon.
That's correct, the steps I mentioned will remove the driver responsible for the protection features listed under "Runtime Protection" in the Threat Protection Policy from Sophos Central.
If you haven't tried disabling components through the local policy override, I'd suggest doing that first, as removing the driver entirely will significantly reduce the level of protection you have. The following article describes how to test with the local policy override in further detail. - Sophos Central Endpoint: Basic troubleshooting
Hey I know this has been a while but I hadn't had any time to sit down and test this issue but now it appears other workstations and other offices are having the same random issue when uploading files to SRFax. I'm going to try and sit down at a computer today and try disabling components to see if I can identify which one is causing the interference, but my next question is if I can figure out which one it is, then what? This is a very bizarre bug for an AV client, how would we address this without disabling a key feature of Intercept-X?
So I disabled the components one by one and nothing appeared to make any difference. It's random but eventually I'd come across some PDFs that won't upload to SRFax. I was going to try disabling the HitmanPro driver but I'm unable to stop the service because it's not an option due to lack of permission even as an admin. How do I stop the hittmanpro service?
You’ll need to have Tamper Protection disabled to interact with the services.
If you'd like to take things further in using the driver isolation steps I mentioned previously, you’ll also need to stop Sophos from updating, as the self-repair operations may re-load the driver.
Qoosh said:HMPA Isolation:a) Access the Services and stop then disable the following service:HitmanPro.Alert serviceb) Access the following folder: C:\Windows\System32\c) Rename hmpalert.dll to hmpalert.origd) Access the following folder: C:\Windows\SysWOW64\e) Rename hmpalert.dll to hmpalert.origf) Reboot the computer
I will follow up with you via PM.