This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSP.log rotation and E Failed to raise async: Error converting user SID to string. Windows error code : 1337

I was checking the SSP.log recently in C:\ProgramData\Sophos\Endpoint Defense\Logs\.

According to https://support.sophos.com/support/s/article/KB-000038787?language=en_US this file should have a log rotation of 5 files.

On Windows Server endpoints: there is only a single SSP.log file. The only file with log rotation of 5 is sed.log.

 Directory of C:\ProgramData\Sophos\Endpoint Defense\Logs

13.07.2023  14:41    <DIR>          Low
07.08.2023  18:53    <DIR>          Perf
07.08.2023  15:58           149.270 sam.log
08.08.2023  11:17         1.538.457 sed.log
07.08.2023  15:58        10.489.630 sed1.log
02.08.2023  00:21        10.485.968 sed2.log
27.07.2023  11:22        10.485.832 sed3.log
23.07.2023  01:29        10.486.366 sed4.log
08.08.2023  10:53            90.726 seds.log
05.08.2023  23:56         1.902.674 SophosScanCoordinator.log
15.07.2023  05:00                 0 SophosScanCoordinator.log.lock
08.08.2023  11:16         4.664.467 SSP.log
              10 File(s)     50.293.390 bytes

On Windows Client Endpoints: there are only two SSP.log files. The only file with log rotation of 5 is again sed.log.

 Directory of C:\ProgramData\Sophos\Endpoint Defense\Logs

09.12.2021  14:42    <DIR>          Low
07.08.2023  15:56    <DIR>          Perf
07.08.2023  15:16           214.124 sam.log
08.08.2023  11:18        10.466.001 sed.log
24.07.2023  10:14        10.485.820 sed1.log
06.07.2023  20:04        10.488.409 sed2.log
21.06.2023  14:45        10.485.830 sed3.log
17.05.2023  10:02        10.508.978 sed4.log
08.08.2023  11:03           404.775 seds.log
17.03.2023  09:46         1.049.703 seds1.log
07.08.2023  09:11             6.720 sna.log
21.07.2023  08:04            66.544 sna1.log
09.12.2022  20:16            57.094 sna2.log
05.08.2022  08:05            61.872 sna3.log
08.04.2022  08:10            52.364 sna4.log
14.11.2022  14:53            46.928 SophosScanCoordinator.log
15.12.2021  18:50                 0 SophosScanCoordinator.log.lock
01.08.2023  09:43        21.603.499 SSP.1.log
07.08.2023  18:04           160.313 SSP.log

Is the documentation incorrect or the behaviour of all our endpoints?

Also on Windows Servers it contains a high count of always repeating errors:

E Failed to raise async: Error converting user SID to string. Windows error code : 1337

Log snip:

2023-08-08T08:09:03.522Z [ 3332:12504] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
2023-08-08T08:09:40.326Z [ 3332:12504] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\System32\drivers\WUDFRd.sys
2023-08-08T08:09:40.327Z [ 3332:12504] E Failed to raise async: Error converting user SID to string. Windows error code : 1337
2023-08-08T08:09:40.332Z [ 3332:12848] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\apppatch\drvmain.sdb
2023-08-08T08:09:40.332Z [ 3332:12848] E Failed to raise async: Error converting user SID to string. Windows error code : 1337
2023-08-08T08:09:40.376Z [ 3332:12352] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\System32\drivers\IndirectKmd.sys
2023-08-08T08:09:40.377Z [ 3332:12352]  to raise async: Error converting user SID to string. Windows error code : 1337
2023-08-08T08:14:06.868Z [ 3332:12344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.

C:\Windows\System32\drivers>cacls WUDFPf.sys
C:\Windows\System32\drivers\WUDFPf.sys NT SERVICE\TrustedInstaller:F
                                       BUILTIN\Administrators:R
                                       NT AUTHORITY\SYSTEM:R
                                       BUILTIN\Users:R
                                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R
                                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R


C:\Windows\System32\drivers>icacls WUDFPf.sys
WUDFPf.sys NT SERVICE\TrustedInstaller:(F)
           BUILTIN\Administrators:(RX)
           NT AUTHORITY\SYSTEM:(RX)
           BUILTIN\Users:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)

Successfully processed 1 files; Failed processing 0 files

What's this error all about? The 2 drivers are unsigned drivers which looks like to be normal. Looks to me like the request to resolve the SID is not implemented correctly.



This thread was automatically locked due to age.
Parents
  • Hi LHerzog,

    I turned on Debug logging on "SSPService.exe" from the ESH tool and triggered a full system scan to verify if that it behaves correctly. The log files are rotating out correctly on my end, could you give this a try? 

    Regarding the error you're seeing in the logs; When checking the cases we have opened internally, this looks to be more of a symptom than an issue. I wasn't able to locate anything definitive related to the exact logs you shared here. 

    Are you seeing any odd behaviour which could be related?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi LHerzog,

    I turned on Debug logging on "SSPService.exe" from the ESH tool and triggered a full system scan to verify if that it behaves correctly. The log files are rotating out correctly on my end, could you give this a try? 

    Regarding the error you're seeing in the logs; When checking the cases we have opened internally, this looks to be more of a symptom than an issue. I wasn't able to locate anything definitive related to the exact logs you shared here. 

    Are you seeing any odd behaviour which could be related?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data