Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 25656 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Terminal Services

Brandon_W

We are running a terminal server with operating system Windows 2008 R2 and that uses Sophos Endpoint Security and Control version 9.5. This terminal sever is used in a lab to allow up to 30 people to RDP into the server.  We have received reports that during specified times of the day all of the remote desktop users will lose internet connection. It is still possible to establish an RDP connection and access our shared files on the terminal server which would indicate that they are still connected through the network. After some investigating, we have reason to believe one of the functions of Sophos may be blocking internet access for the remote desktop users.  The event viewer on the terminal server reports Savservice.exe errors during the time Internet explorer is unavailable to browse.  It appears Sophos is scanning IE during the time of the internet outage, once Sophos is complete internet browsing is restored. Have you received any reports on this or know any information we could use to correct this problem?  We are hoping perhaps modifying the setting on Sophos would eliminate this problem.

Thanks in advance!

:20621


This thread was automatically locked due to age.
  • 0

    Hi,

    You could try disabling the Sophos BHO in IE add-ons.  If there are multiple instances of IE running all concurrently browsing the web, the savservice will be kept rather busy servicing scan requests from each of the IE processes.  I would suggest disabling that first to see if it helps.

    Of note, if it turns out to be the case, the BHO has been replaced in SAV 10 with an LSP, so that could become the solution for you.

    Regards,

    Jak

    :20623
  • 0

    Thank you for the fast reply,

    We will try what you recommend to see if that fixes the problem. If we get a postive outcome I will be sure to mark it as the solution!


    Edit:

    I also wanted to ask how vulnerable would a user be by disabling the BHO?

    :20625
  • 0

    Hi,

    The web scanning component aims to filter out threats/exploits before they hit the disk and before the browser can execute/render them.  The web scanning in SAV 9.x only works with IE as it's a Browser Helper Object (BHO).  In SAV 10, all the main browsers are covered as the web scanning piece is now implemented as an Layered Service Provider (LSP) rather than an IE specific BHO.

    For example, if you were to download "virus.exe" with 9.x and with the BHO off, the on-access scanner would still pick up the file as it was read back by IE from disk and therefore protect the user.  In the case of a virus file such as this the browser wouldn't really do much with "virus.exe" other than download it. If the web scanning was on and if the file was under 2 MB the web content scanner would send it to be scanned before written to disk so it would be picked up by the web scanning component.  On-access wouldn't even see it. 

    The web scanning is really to have access to components of a webpage such as javascript, images, video, etc.. so they can be checked (up to 2MB) before the browser tries to work with them.  So it essentially catches things earlier to reduce the chance that the browser, in this case IE, doing something with the threat before on-access gets a look in.

    Jak

    :20631
  • 0

    Excellent, one more question if you don't mind!

    While I did research on how about doing this, most of the responses seemed to date pretty long ago so I was hoping I can get confirmation on this.

    We run terminal services for a large amount of users, if we log into an administrator into the server and disable the BHO, will it persist to all users? By the way the problem sounds, it only takes one user to trigger downtime so we would need to change it for all users who log in to the server. Unfortunately, I don't remember seeing a pre-built GPO that would allow it to disable it for all users, could you direct me to an up-to-date solution?


    Once again, thanks

    :20793
  • 0

    The following post should help:

    /search?q= 10229

    The GPO option is under the "Computer Configuration " so it should appy to all processes running under all users.

    Regards,

    Jak

    :20797
  • 0

    I have been facing a Similar Issue. However I do not have the SEC Server and Client Details. Nor the OS details.

    But whenever multiple users login to the terminal server, they are not able to access the Internet through the Terminal Server.

    Currently we have kept the AV Scanning off, on the Terminal Server, to allow remote users to access the Internet, which I firmly believe is not a good practise.

  • 0 in reply to SamsonPacharne1

    Hi,

    Do you need to disable on-access to restore the computer to a working state or would it be sufficient to disable the web protection features?  The default of which is to mirror the on-access state.  I suspect disabling on-access is essentially disabling web protection.

    What do you have under

    Configure - Anti-Virus - Web Protection?  

    Also, do you have web control enabled?

    If one of these 3 features are enabled then you will have a loaded LSP in the Winsock catalog.  If you disable all 3 and start the Sophos Web Intelligence Update service, the LSP will be removed from Winsock.

    Regards,

    Jak

  • 0 in reply to jak

    Dear Jak,

    Thanks for your reply.

    At the moment the end customer is disabling Endpoint on the Terminal Server and that's how the internet works on the Terminal Server, with multiple users connected simultaneously to the server.

    We have not tried by disabling web protection? .. Need to try that.  I will also check the Web Control....if it is enabled.

    I will check with the end customer and get back to you on this.

    Thanks for the help.

    Regards,

    Mr. Samson Pacharne

  • 0 in reply to SamsonPacharne1

    Please find the below details of the Sophos SEC Server and the Terminal Server specifications .

    Sophos SEC Server Details.

    Machine Type : Hyper V

    Machine OS: Windows 2008 R2 Standard

    RAM (Memory) : 16 GB

    Architecture: x64

    Sophos Server SEC Enterprise Console Version : 5.3.0

     

    Terminial Server Details

    Machine Type : Hyper V

    Machine OS: Windows Server 2012 R2 Standard

    RAM (Memory) :  40GB

    Architecture: x64

    Sophos Client Software Version :  10.6 

    Currently we have disabled the entire endpoint client software on the terminal server.

    I will check the same today by disabling the Web Protection and Web Control functionality and inform you accordingly.

    Regards,

    Mr. Samson Pacharne.

  • 0 in reply to SamsonPacharne1

    Hello,

    Today we have disabled the Web Protection and Web Control, now let us monitor the same, if any users are facing any issue.

    Regards,

    Mr. Samson Pacharne

Unfiltered HTML