Sophos Exploit Prevention causes open delays on several applications

Hello Lars Haberland,

you're talking about Exploit Prevention added to the on-premise SESC? Have it running on my Windows 7 Enterprise, never noticed it's there.
You should open a ticket with Support as this is not how it's supposed to be.

Christian

Hello Lars,

we experienced some latency when trialing interceptx as well. This was due to the key-encryption between the applications. 
I would recommend switching it off and verify.

Regards,

Sander

Hi LarsHaberland,

Before we proceed, can you please check and confirm the following details.

* Is the issue seen in any specific group of clients or users?
* Any other applications in the startup which could be causing this? Try disabling the Startup applications and recreate the issue.

Once we eliminate the basic causes you can do the following and contact our support with the mentioned logs to investigate it further.

Before we proceed Make sure to disable the tamper protection for the client computer.

1. Turn on SAV debug logging(HKLM\system\currentcontrolset\service\SAVonaccess | create a Dword "logflags" with value "FF") and Restart the SAV service
2. Turn on SophosFilescanner.log (HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application | Create a Dword "Loglevel" value 4) and restart the Sophos File Scanner service.
3. Turn on Process Monitor
4. Attempt to open the application(MS Calculator, Snipping tool, etc)
5. Perform some actions to recreate the performance issue.
6. Turn off the SAV Debug Logging (HKLM\system\currentcontrolset\service\SAVonaccess | Delete the Dword "logflags")
7. Turn off the SAV scanning service.
8. Do some action on the application and get the performance issue reproduced again.
9. Turn off the Process Monitor.
10. Turn off SophosFilescanner.log (HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application | Delete the Dword "Loglevel" value 4) and restart the Sophos File Scanner service.
11. Turn on the SAV service.
12. Gather an SDU.
13. Gather the Process Monitor.
14. Gather a sample of the application reported with the issue.

Note:
Make sure to enable Tamper protection and to disable the Debugging post the logs are collected, else it might end up consuming high disk space.

SDU logs will collect both the SAV and Sophosfilescanner logs, But for additional information below are the log locations to access them manually.

SAV.txt - C:\ProgramData\Sophos\Sophos Anti-Virus\logs
SophosFileScanner.log - C:\ProgramData\Sophos\Sophos File Scanner\Logs .

Hope it helps

Hello,

for the first part, its all Windows 7 64bit and I have the feeling its on all maschines.

I have this week off and will be in office next week on wednesday.

I try to get the log files then. Hope the log files include the hitman stuff too.

Thanks!

Hello,

I enabled logging  for SAV debug logging but when I tried to enable logging  for File Scanner I couldn't find

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application

the whole "Sophos File Scanner\Application" part is missing.

I can find

HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert

though.

We don't use InterceptX, we have Exploit Prevention via Enterprise Console.

Is there any difference in the registry paths?

Best regards

Lars Haberland

Hi LarsHaberland,

In that scenario, please contact the support with the available logs to investigate it further. If InterceptX is not used, then I will have this thread moved to the appropriate community group.

Hello,

yes then please move it to the appropriate group, I always thougt InterceptX and Exploit Prevention use the same "hitman pro" in disguise, that's why I posted here in the first place...

Thanks for your help.

Regards

Lars Haberland

Hello Sophos Team,

can you please move the post to "Endpoint Security and Control" forums?

Or should I open the same post there again?

Best regards

Lars Haberland

Hello again,

since Sophos does not seem able to understand the problem, unable to help OR WILLING to help, I was contacted by two other companies about the very same issue.

After digging in a firewall, it seems once again an issue with sophos not being able to use proxy servers.
Just like the ssp.exe that generated lots of traffic stated in another forum post hammering internal firewalls...

The other two companies implemented rules that allow direct internet access to certein amazon cloud AWS IPs.

After the implementation the delays are gone.

I checked the pcs network connections and it seems like hmpalert.exe is directly connecting to aws sophos cloud in order to download something or talk to the cloud on port 80 and 443 when you start an application. After the timeout it opens, then for this logon session that wont happen again for that application but for all the others. After reboot it starts all over.

Direct connection to the internet by a security appliance is a JOKE. Really. That can't be implemented in a company, there are TONS of AWS IPs coming up when opening the calculator, snipping tool and so on. Our firewall guy just laughed at me.

If the connection can't be establish due to firewall your service holds back the execution of applications for almost 15 seconds, that's the delay we are talking about.

The on premise enterprise console and the software which belongs to it should in NO CASE should rely on direct internet connections.

We are sitting on a big amount of unusable licenses because we can't enable hitman - oh wait - exploit prevention - without getting our users VERY angry. Period.

One of the other company already opened a call at Sophos about this issue and is facing email ping pong about logfiles and stuff.

If you need direct internet for the hmpalert.exe, then please - for gods sake - set the timeout to something like 1 seconds and not 15, because direct internet is not going to happen anyways.

Or as I stated in the ssp forum post, make your services use proxy server WITH authentication so I can set up a proxy user in enterprise console apply it via polices and your software will be much much much better. And I will be much much much happier.

Ooof, I feel much better now.

Best regards

Lars Haberland