Windows Server 2019: Network Threat Protection causes RDS system lockup requiring restart


We are also getting this issue on our RDS servers running windows server 2019, after a few days the vm fully locks up and the only fix there on out is to turn it off in hyper v and turn it back on. Disabling Network threat protection fixes that issue, we have had no reoccurances since then

Split comment into new forum post, added TAGs
[edited by: Qoosh at 6:23 PM (GMT -7) on 4 Oct 2022]
Parents Reply Children
  • Thanks for adding to the discussion!

    If you can replicate this issue, I suggest opening a support case so our team can take a closer look. 

    I suggest using the article linked in my previous comment to force a system crash if possible so that our team can see exactly what is loaded into the system at the time of lock-up.

    If you can also provide an SDU from one of the devices where this issue has occurred previously, this will help us to gather some initial information. Please provide me with the case ID either here or via PM so I can follow up on this.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Same issue here.  SDU has been provided.  Case ID:  05698133 

  • Multiple SDUs have been provided. Case ID: #05632664

  • The NTP Service being stuck in a starting state is interesting, I wonder if this is related?

    I've seen this with a bug in a Redhat network driver and another NIC driver affecting the registering of WFP filters. So the SophosNTPService.exe process gets stuck in a WFP call. 

    It is only registering with WFP to enable the WFP filters for web protection/Control.  With those features disabled it shouldn't perform this task.

    Are you able to test if you get the issue with "Web Control" AND "Scan downloads in progress" AND "Block access to malicious websites", I.e. in the Threat Protection policy applied to the server disabled these 2:

    Then in the web control policy applied to the server, if enabled disable this:

    Check at the client that SophosNetFilter.exe has stopped.  This is evidence of the features being disabled. All 3 need to be disabled for SophosNetFilter.exe to stop running.

    Then restart the Sophos Network Threat Protection service.  This will ensure all WFP callout registrations are removed.

    Does the problem occur from this state?  If so, it suggest to me an issue with this feature/WFP.