This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Exploit Prevention causes open delays on several applications

Hello,

so we added Exploit Prevention to our license but ever since I'm experiencing weird delays on application openings.

I can reproduce it on cmd.exe (i.e. opening batchfiles) MS Snipping Tool, MS Calculator and similar programs.

Lets say you open the calculator by clicking it and then it does not open. You wait ~ 20 seconds an then it opens. (Of cause the users already clicked 20 times and then they end up with 20 calculators...)

I disabled EVERYTHING in the policy (except enable exploit prevention) to check if a setting in responsible for the behaviour but the problem persists.

If I start the very same program again I normally don't get the delay until next reboot. (sometimes I do get it though)

When I disable "Exploit Prevention" in policy and reboot, the problems are gone.

I'm experiencing this on Windows 7 64bit on several maschines (if not all - but I didn't roll it out on all OBVIOUSLY).

Right now I have no idea what to do. I don't feel good with maschines behaving like this.

Best regards

Lars Haberland



This thread was automatically locked due to age.
Parents
  • Hi LarsHaberland,

    Before we proceed, can you please check and confirm the following details.


    * Is the issue seen in any specific group of clients or users?
    * Any other applications in the startup which could be causing this? Try disabling the Startup applications and recreate the issue.

    Once we eliminate the basic causes you can do the following and contact our support with the mentioned logs to investigate it further.

    Before we proceed Make sure to disable the tamper protection for the client computer.


    1. Turn on SAV debug logging(HKLM\system\currentcontrolset\service\SAVonaccess | create a Dword "logflags" with value "FF") and Restart the SAV service
    2. Turn on SophosFilescanner.log (HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application | Create a Dword "Loglevel" value 4) and restart the Sophos File Scanner service.
    3. Turn on Process Monitor
    4. Attempt to open the application(MS Calculator, Snipping tool, etc)
    5. Perform some actions to recreate the performance issue.
    6. Turn off the SAV Debug Logging (HKLM\system\currentcontrolset\service\SAVonaccess | Delete the Dword "logflags")
    7. Turn off the SAV scanning service.
    8. Do some action on the application and get the performance issue reproduced again.
    9. Turn off the Process Monitor.
    10. Turn off SophosFilescanner.log (HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application | Delete the Dword "Loglevel" value 4) and restart the Sophos File Scanner service.
    11. Turn on the SAV service.
    12. Gather an SDU.
    13. Gather the Process Monitor.
    14. Gather a sample of the application reported with the issue.

    Note:
    Make sure to enable Tamper protection and to disable the Debugging post the logs are collected, else it might end up consuming high disk space.

    SDU logs will collect both the SAV and Sophosfilescanner logs, But for additional information below are the log locations to access them manually.

    SAV.txt - C:\ProgramData\Sophos\Sophos Anti-Virus\logs
    SophosFileScanner.log - C:\ProgramData\Sophos\Sophos File Scanner\Logs .

    Hope it helps

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello,

     

    for the first part, its all Windows 7 64bit and I have the feeling its on all maschines.

    I have this week off and will be in office next week on wednesday.

    I try to get the log files then. Hope the log files include the hitman stuff too.

    Thanks!

     

  • Hello,

    I enabled logging  for SAV debug logging but when I tried to enable logging  for File Scanner I couldn't find

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application

    the whole "Sophos File Scanner\Application" part is missing.

    I can find

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert

    though.

    We don't use InterceptX, we have Exploit Prevention via Enterprise Console.

    Is there any difference in the registry paths?

    Best regards

    Lars Haberland

  • Hi LarsHaberland,

     

    In that scenario, please contact the support with the available logs to investigate it further. If InterceptX is not used, then I will have this thread moved to the appropriate community group.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello,

    yes then please move it to the appropriate group, I always thougt InterceptX and Exploit Prevention use the same "hitman pro" in disguise, that's why I posted here in the first place...

    Thanks for your help.

    Regards

    Lars Haberland

  • Hello Sophos Team,

    can you please move the post to "Endpoint Security and Control" forums?

    Or should I open the same post there again?

    Best regards

    Lars Haberland

Reply Children
  • Hello again,

    since Sophos does not seem able to understand the problem, unable to help OR WILLING to help, I was contacted by two other companies about the very same issue.

    After digging in a firewall, it seems once again an issue with sophos not being able to use proxy servers.
    Just like the ssp.exe that generated lots of traffic stated in another forum post hammering internal firewalls...

    The other two companies implemented rules that allow direct internet access to certein amazon cloud AWS IPs.

    After the implementation the delays are gone.

    I checked the pcs network connections and it seems like hmpalert.exe is directly connecting to aws sophos cloud in order to download something or talk to the cloud on port 80 and 443 when you start an application. After the timeout it opens, then for this logon session that wont happen again for that application but for all the others. After reboot it starts all over.

    Direct connection to the internet by a security appliance is a JOKE. Really. That can't be implemented in a company, there are TONS of AWS IPs coming up when opening the calculator, snipping tool and so on. Our firewall guy just laughed at me.

    If the connection can't be establish due to firewall your service holds back the execution of applications for almost 15 seconds, that's the delay we are talking about.

    The on premise enterprise console and the software which belongs to it should in NO CASE should rely on direct internet connections.

    We are sitting on a big amount of unusable licenses because we can't enable hitman - oh wait - exploit prevention - without getting our users VERY angry. Period.

    One of the other company already opened a call at Sophos about this issue and is facing email ping pong about logfiles and stuff.

    If you need direct internet for the hmpalert.exe, then please - for gods sake - set the timeout to something like 1 seconds and not 15, because direct internet is not going to happen anyways.

    Or as I stated in the ssp forum post, make your services use proxy server WITH authentication so I can set up a proxy user in enterprise console apply it via polices and your software will be much much much better. And I will be much much much happier.

    Ooof, I feel much better now.

    Best regards

    Lars Haberland