I was checking the SSP.log recently in C:\ProgramData\Sophos\Endpoint Defense\Logs\.
According to https://support.sophos.com/support/s/article/KB-000038787?language=en_US this file should have a log rotation of 5 files.
On Windows Server endpoints: there is only a single SSP.log file. The only file with log rotation of 5 is sed.log.
Directory of C:\ProgramData\Sophos\Endpoint Defense\Logs
13.07.2023 14:41 <DIR> Low
07.08.2023 18:53 <DIR> Perf
07.08.2023 15:58 149.270 sam.log
08.08.2023 11:17 1.538.457 sed.log
07.08.2023 15:58 10.489.630 sed1.log
02.08.2023 00:21 10.485.968 sed2.log
27.07.2023 11:22 10.485.832 sed3.log
23.07.2023 01:29 10.486.366 sed4.log
08.08.2023 10:53 90.726 seds.log
05.08.2023 23:56 1.902.674 SophosScanCoordinator.log
15.07.2023 05:00 0 SophosScanCoordinator.log.lock
08.08.2023 11:16 4.664.467 SSP.log
10 File(s) 50.293.390 bytes
On Windows Client Endpoints: there are only two SSP.log files. The only file with log rotation of 5 is again sed.log.
Directory of C:\ProgramData\Sophos\Endpoint Defense\Logs 09.12.2021 14:42 <DIR> Low 07.08.2023 15:56 <DIR> Perf 07.08.2023 15:16 214.124 sam.log 08.08.2023 11:18 10.466.001 sed.log 24.07.2023 10:14 10.485.820 sed1.log 06.07.2023 20:04 10.488.409 sed2.log 21.06.2023 14:45 10.485.830 sed3.log 17.05.2023 10:02 10.508.978 sed4.log 08.08.2023 11:03 404.775 seds.log 17.03.2023 09:46 1.049.703 seds1.log 07.08.2023 09:11 6.720 sna.log 21.07.2023 08:04 66.544 sna1.log 09.12.2022 20:16 57.094 sna2.log 05.08.2022 08:05 61.872 sna3.log 08.04.2022 08:10 52.364 sna4.log 14.11.2022 14:53 46.928 SophosScanCoordinator.log 15.12.2021 18:50 0 SophosScanCoordinator.log.lock 01.08.2023 09:43 21.603.499 SSP.1.log 07.08.2023 18:04 160.313 SSP.log
Is the documentation incorrect or the behaviour of all our endpoints?
Also on Windows Servers it contains a high count of always repeating errors:
E Failed to raise async: Error converting user SID to string. Windows error code : 1337
Log snip:
2023-08-08T08:09:03.522Z [ 3332:12504] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell. 2023-08-08T08:09:40.326Z [ 3332:12504] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\System32\drivers\WUDFRd.sys 2023-08-08T08:09:40.327Z [ 3332:12504] E Failed to raise async: Error converting user SID to string. Windows error code : 1337 2023-08-08T08:09:40.332Z [ 3332:12848] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\apppatch\drvmain.sdb 2023-08-08T08:09:40.332Z [ 3332:12848] E Failed to raise async: Error converting user SID to string. Windows error code : 1337 2023-08-08T08:09:40.376Z [ 3332:12352] E Failed to raise a FileScanned event error: Error converting user SID to string. Windows error code : 1337 for file: C:\Windows\System32\drivers\IndirectKmd.sys 2023-08-08T08:09:40.377Z [ 3332:12352] to raise async: Error converting user SID to string. Windows error code : 1337 2023-08-08T08:14:06.868Z [ 3332:12344] A File C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe is controlled app Microsoft Powershell.
C:\Windows\System32\drivers>cacls WUDFPf.sys
C:\Windows\System32\drivers\WUDFPf.sys NT SERVICE\TrustedInstaller:F
BUILTIN\Administrators:R
NT AUTHORITY\SYSTEM:R
BUILTIN\Users:R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R
C:\Windows\System32\drivers>icacls WUDFPf.sys
WUDFPf.sys NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
Successfully processed 1 files; Failed processing 0 files
What's this error all about? The 2 drivers are unsigned drivers which looks like to be normal. Looks to me like the request to resolve the SID is not implemented correctly.
This thread was automatically locked due to age.
