Issues with server protection on file server

Hello,

This is odd and not something that I have seen reported previously. Server Protection forum: https://community.sophos.com/products/server-protection-integration/

You suspect that this is the CryptoGuard protection; it has local and remote protection options. If a remote attack is detected then write access of the offending IP address is blocked, however the read access is still permitted and so I wouldnt expect the browsing of the share to hang. Note: If users access via a proxy, then we might be blocking access to the proxy IP which would impact all users.

To test this, you could disable CryptoGuardSMB on the file server. However, before you were to do that, I would expect there to be alerts on the file server than CryptoGuard has had a detection; you can clear the alert with 'Mark as Resolved' which will grant write access agian - at least until another detection is made. Again, I would ensure that this is not an actial ransomware attack before allowing the offending IPs access to the file server.

Regards,

Stephen

On Friday afternoon I was able to get the problem to happen with the test traffic I was generating.  This time I did get an alert in the web console that CryptoGuard triggered.  This is the first time I actually got an alert.  The alert said it blocked write access from detected IP address but it really blocked read/write to everything. 

I went to the console and resolved the alert.  The server started working for a very short time after that.  I had enough time to test from one device after it was cleared but by the time I tried a second device the server was back to blocking everything again. 

In the Windows event log I can see where it triggered for the one device and where it was cleared but no other alerts were logged. 

I know during the sales demo there was a tool to trigger CryptoGuard.  I am hoping support will be able to provide that tool so I can quickly test to see if just triggering CryptoGuard will cause the problem. 

We are having the same issue on a Server 2008R2 file server. It must have been an update from Sophos that triggered it because it was running fine until a week ago.  We were able to remote into the server, but the users were unable to access the shares. There were no Cryptoguard or Sophos Av errors in the logs.  Rebooting the server cleared the issue for a few hours but ultimately the issue returned.  We removed Sophos AV entirely yesterday and 24 hours later the server is still running good.  We will reinstall the AV and disable the Cryptogard function and hope for the best.  On the client side, we have about 60 computers (Win 10 and Win7) so far that become unusable after enabling Intercept-X.  We spent many hours on the phone with support but it is clear that the support team is not familiar enough with intercept-x to support it.  I have a request for a refund of the advanced portion of our licensing because it is causing us so many random problems.  Maybe in another year it will be ready.

Hi Steve,

I would like to understand why you are seeing these issues. Please send me a PM if you are able to spend a little time with me to try and resolve your issue.

Regards,

Stephen

In late September support said they have a few customers reporting the issue.   I could recreate the problem in a lab setup and I provided those build steps to support. 

My case is still open (#7434401). The dev teams is working on it but there isn't currently an ETA. 

I currently have the Hitman Pro service disabled on the servers it was causing issues with. 

Hey there,

I just installed the Advanced Server Protection on our fileserver (2008 R2) a few days ago (and included Cryptoguard) and have these problems:

- inaccessable file shares

-> as a result extrem slow(to death) logon/logoff users with roaming profiles

I can see in the file share overview that some users have around 500-1500 open files during logon/logoff, sometimes even more and piling up until i kill the session.

Currently I evaluate Advanced Server Protection 'cause of the Cryptoguard (had a case in a friends company) but right now it looks unusuable.

Can you tell if a disabled Hitman Pro service (under services directly on the server) helped? Or will a disabled Cryptoguard in Central do the same trick?

Disabling the 'HitmanPro.Alert service' is what I have been doing on our server that have the issue.   Once the service is disabled the server will need to be rebooted so the file filter driver is not loaded.  If Sophos pushes a program update then the service will be enabled again so you have to keep an eye out for that. 

I believe I tested just disabling Cryptoguard in the policy.  I can't recall for sure if worked for not and I can't find it in my notes.  For whatever reason I settled on disabling the service and verify the filter driver wasn't loaded.

To check if the driver is loaded run 'fltmc' from the command line.  If you see 'hmpalert' on the list that means the driver is loaded. 

>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
hmpalert                                3       345800         0

Hi all,

We can now replicate this issue thanks to the steps provided. The team have a proposed fix for this issue that is currently being reviewed; once i have more details as to a build that fixes this, i will update this thread.

Regards,

Stephen

Hi, i'm experiencing the exact same issue as this 2008r2 with DFS file shares freezing or hanging. only way to resolve is to stop the Hitman pro service.

this was last updated the 13 dec 2017, has there been no further progress?

The last I heard from my ticket is that the issue was escalated to Critical and development was testing a fix.  If testing went well then they were hoping to release the fix in Q1 2018. That was also from early December.  I pinged support for an update.