This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Not started: Sophos System Protection Service" on Exchange servers

I'm going through some "One or more Sophos services are not running" alerts for our customers and the last five have been the same service (Sophos System Protection Service) on mail servers.  I can start the service successfully, but it stops again several seconds later.  Any idea what I can do to resolve this?  Rebooting is kind of tough because these are production mail servers. Also, was there a software update that happened last night that would have caused this?



This thread was automatically locked due to age.
Parents
  • Hi,

     

    Did you get a fix for this?  We've had exactly the same problem with 4 x Exchange 2010 servers which seems to have started after Sophos was updated on Sunday 8th July.  Initially they reported that a reboot was required, after rebooting the "Sophos System Protection Service" fails, if the service is restarted it fails again a minute or so later.

    We currently have a call open with Sophos via our support provider, Sophos has gathered logs but no progress so far and obviously having our mail servers unprotected is concerning.  Our other (30+) servers running Sophos are unaffected, so Exchange does appear to be the common link.  The Exchange servers are running under Server 2008 R2 and are comprised of 2 x Servers in a CAS array and 2 x Servers in a DAG.

    Cheers.

     

    The following is logged in the SDR log:-

    2018-07-10T14:34:52.343Z SDR Init Notice Registry DebugFacilities 0xffffffff DebugLevel 2
    2018-07-10T14:34:52.344Z SDR Init Info Service Starting...
    2018-07-10T14:34:52.344Z SDR Init Info Version: 1.3.0.0 0000000
    2018-07-10T14:34:52.344Z SDR Init Info SysInfo: SERVER.NAME PID 7128
    2018-07-10T14:34:52.344Z SDR Init Info   64Bit Kernel: 1
    2018-07-10T14:34:52.344Z SDR Init Info   Dirname: C:\Program Files\Sophos\Endpoint Defense\
    2018-07-10T14:34:52.344Z SDR Init Info   Basename: SSPService
    2018-07-10T14:34:52.878Z SDR Init Info AgentManager successfully started.
    2018-07-10T14:34:52.954Z SDR Init Info ApplicationManager successfully started.
    2018-07-10T14:34:57.955Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:02.955Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:07.955Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:12.955Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:17.955Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:22.954Z SDR Comms Error Unable to open async communications port - error 0x80070002
    2018-07-10T14:35:27.955Z SDR Comms Error Unable to open async communications port - error 0x80070002

     

    This is logged in the System event log just before the service fails:-

    Log Name:      System
    Source:        Application Popup
    Date:          09/07/2018 08:49:57
    Event ID:      26
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      server.name
    Description:
    Application popup: SSPService.exe - Application Error : The exception unknown software exception (0xc0000417) occurred in the application at location 0x405dfb92.

    Click on OK to terminate the program
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Popup" />
        <EventID Qualifiers="16384">26</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-07-09T07:49:57.000000000Z" />
        <EventRecordID>21343</EventRecordID>
        <Channel>System</Channel>
        <Computer>server.name</Computer>
        <Security />
      </System>
      <EventData>
        <Data>SSPService.exe - Application Error</Data>
        <Data>The exception unknown software exception (0xc0000417) occurred in the application at location 0x405dfb92.

    Click on OK to terminate the program</Data>
      </EventData>
    </Event>

     

  • Are you able to get a process dump of SSPService.exe process when it crashes?

    I would suggest run in an admin prompt:

    mkdir C:\procdump

    Download procdump.exe from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and save it to C:\procdump

    From the admin prompt run:
    procdump -ma -i C:\procdump

    Recreate the issue and you should have a dump (or 2) in C:\procdump\.  Only the first of the 2 (if created is needed)

    It might be worth getting a couple of dumps from separate occurrences to prove it always crashes in the same way.

    You can remove the 2 registry keys created by procdump by running:
    procdump -u
    and delete the C:\procdump directory if needed.

    Regards,
    Jak

  • Hi,

    Problem is still ongoing, our support provider has submitted the dump analyses to Sophos support, the errors seem consistent across multiple events (5 dumps taken).  I've included the "highpoints" from one of the dump analysis files below.

    Cheers.

    FAULTING_IP:
    SSPService+6bfb92
    00000001`3fdefb92 ff1510cb0e00    call    qword ptr [SSPService+0x7ac6a8 (00000001`3fedc6a8)]
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 000000013fdefb92 (SSPService+0x00000000006bfb92)
       ExceptionCode: c0000417
      ExceptionFlags: 00000001
    NumberParameters: 0
    DEFAULT_BUCKET_ID:  NULL_POINTER_READ
    PROCESS_NAME:  SSPService.exe
    ERROR_CODE: (NTSTATUS) 0xc0000417 - An invalid parameter was passed to a C runtime function.
    EXCEPTION_CODE: (NTSTATUS) 0xc0000417 - An invalid parameter was passed to a C runtime function.
    EXCEPTION_CODE_STR:  c0000417
    WATSON_BKT_PROCSTAMP:  5b17a87e
    WATSON_BKT_PROCVER:  1.5.0.55
    PROCESS_VER_PRODUCT:  Sophos Endpoint Defense
    WATSON_BKT_MODULE:  SSPService.exe
    WATSON_BKT_MODSTAMP:  5b17a87e
    WATSON_BKT_MODOFFSET:  6bfb92
    WATSON_BKT_MODVER:  1.5.0.55
    MODULE_VER_PRODUCT:  Sophos Endpoint Defense
    BUILD_VERSION_STRING:  6.1.7601.24150 (win7sp1_ldr_escrow.180528-1700)
    MODLIST_WITH_TSCHKSUM_HASH:  84015997fd16201164ff13bff6c50e219a14b2e6
    MODLIST_SHA1_HASH:  61b8c2f6e5e753569e47efc33ad94760e93e438b
     
    ....
     
    FOLLOWUP_IP:
    SSPService+6bfb92
    00000001`3fdefb92 ff1510cb0e00    call    qword ptr [SSPService+0x7ac6a8 (00000001`3fedc6a8)]
    FAULT_INSTR_CODE:  cb1015ff
    SYMBOL_STACK_INDEX:  0
    SYMBOL_NAME:  SSPService+6bfb92
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: SSPService
    IMAGE_NAME:  SSPService.exe
    DEBUG_FLR_IMAGE_TIMESTAMP:  5b17a87e
    STACK_COMMAND:  ~68s ; .ecxr ; kb
    BUCKET_ID:  X64_NULL_POINTER_READ_IN_CALL_SSPService+6bfb92
    FAILURE_EXCEPTION_CODE:  c0000417
    FAILURE_IMAGE_NAME:  SSPService.exe
    BUCKET_ID_IMAGE_STR:  SSPService.exe
    FAILURE_MODULE_NAME:  SSPService
    BUCKET_ID_MODULE_STR:  SSPService
    FAILURE_FUNCTION_NAME:  Unknown
    BUCKET_ID_FUNCTION_STR:  Unknown
    BUCKET_ID_OFFSET:  6bfb92
    BUCKET_ID_MODTIMEDATESTAMP:  5b17a87e
    BUCKET_ID_MODCHECKSUM:  b64c36
    BUCKET_ID_MODVER_STR:  1.5.0.55
    BUCKET_ID_PREFIX_STR:  X64_NULL_POINTER_READ_IN_CALL_
    FAILURE_PROBLEM_CLASS:  NULL_POINTER_READ
    FAILURE_SYMBOL_NAME:  SSPService.exe!Unknown
    FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000417_SSPService.exe!Unknown
    TARGET_TIME:  2018-07-12T10:34:37.000Z
    OSBUILD:  7601
    OSSERVICEPACK:  24150
    SERVICEPACK_NUMBER: 0
    OS_REVISION: 0
    OSPLATFORM_TYPE:  x64
    OSNAME:  Windows 7
    OSEDITION:  Windows 7 Server (Service Pack 1) Enterprise TerminalServer SingleUserTS
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  2018-05-29 03:35:16
    BUILDDATESTAMP_STR:  180528-1700
    BUILDLAB_STR:  win7sp1_ldr_escrow
    BUILDOSVER_STR:  6.1.7601.24150
    ANALYSIS_SESSION_ELAPSED_TIME:  5cc2
    ANALYSIS_SOURCE:  UM
    FAILURE_ID_HASH_STRING:  um:null_pointer_read_c0000417_sspservice.exe!unknown
    FAILURE_ID_HASH:  {4580f773-f2f6-e300-e220-cbad28758455}
    Followup:     MachineOwner
  • Hi, 

    Does it help to turn off in policy the "Automatically exclude activity by known applications" option in the the Threat Protection policy?

    Regards,

    Stephen

  • Hi Stephen,

     

    Thanks for the reply.

     

    I cloned our existing policy to a new one, disabled the setting then applied it to one of our Exchange servers and updated, then tried restarting the service a couple of times - no improvement I'm afraid.  I've also applied the default policy with the setting back on just in case anything changed but no luck there either.

    Cheers.

  • Hi, thanks for testing. Development are looking into this, i will post an update as soon as I have one.

    Regards,

    Stephen

  • Update:

    We have identified the cause and are releasing a fix for this tomorrow. 

    Regards,

    Stephen

  • Hi Stephen,

    That's great news, thanks. 

    Do you know if the fix will come down through the normal update process, or will it be a manual patch?

    Best regards,

    Dean

  • It will come via the normal Sophos update process, it won't require any manual intervention. 

  • Hi all,

    As noted in the notification thread, we have just released the update that should fix this issue.

    Note: you may need to manually start the service.

    Regards,

    Stephen

  • Hi Stephen,

     

    Looks encouraging, about 30 minutes now without the service stopping.  You're correct about having to manually start the services, also one of the servers still had the issue but I triggered an update through Central then tried again and it's been OK since.

     

    We'll monitor until close of play today then close our ticket with Sophos.

     

    Thanks for all your help.

  • Hi Everyone,

    As StephenMcKay Mentioned a fix for this issue has been released and confirmed to prevent the issue on July 13, 2018. For more details refer SSP Service not starting on Central Windows Servers.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
No Data