Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 2030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Odd issue with TSWeb Access and Sophos Endpoint Antivirus

Scott_D

We have an odd issue that started recently on our Windows 2008 Terminal Server. We use TS Web Access so that users can access a web page with applications we have installed on the termserver that they can use. However last week we noticed that a few times a day the web page stops serving up the page to the applications. Looking at the event logs we see a warning that the service no longer sees the terminal server hosting the applications (they are all on the same server). The way i can restablish it is to simply stop and start the TS web site. I've norrowed down the problem to Sophos, as once we disable the sophos antivirus service the issue does not return and the site stays up as it should, without incident. Once i renable the sophos services the problem comes back within a few hours and the site needs to be restarted.

There are no other odd errors or warning in the Windows event logs, nor are there any messages about items being blocked on the Sophos logs.

Any ideas, or has nayone else seen this happen?

:8329


This thread was automatically locked due to age.
  • 0

    Hi,

    I've not seen the issue but it would be worth identifying the component of SAV responsible by disabling each one at a time.

    If IE is involved start by disabling the BHO in Manage Add-ons: "Sophos Web Content Scanner" and run without that for a while.

    If that doesn't I would probably move on to disable Detours.  To do so:

    Create the key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\SetupOptions]

    "DetourDLLState"="excluded"

    Note: Adjust path for 32bit.  This will prevent Detoured being reinstalled on update while you test.

    Then remove the Sophos paths to the DLL from the keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\

    AppInit_DLLs

    and 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    AppInit_DLLs

    Both will exist on a 64-bit machine as one path will reference the 32 and one will reference the 64 bit version of the DLL as depending on if the launching process is 32 or 64 bit the right version will need to be loaded into it.

    To ensure all existing processes have unloaded detours you might need to reboot at this stage and I would recommend it.  If you really can't.  Then you could just restart all the process that might be having problems because of it.

    Note Detours is used for a few components in SAV, so you might loose some functionality when disabling detours:

    http://www.sophos.com/support/knowledgebase/article/112099.html

    The only other possible component would be the (Layered Service Provider) LSP as activated by the "Web Protection" feature in 9.5 if enabled.  You could disable, reboot and try again.

    So that would rule out 3 components.

    Regards,

    Jak

    :8659
Unfiltered HTML