Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 15 subscribers
  • Views 6217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Server changing file attributes remotely causes explorer to freeze for 20 to 30 seconds

Badrobot

Hi, 

 

I have been having a weird issue, for awhile I thought it was a Windows issues and made a case with Microsoft, after going back and forth with them for about a week or two we realized it was Sophos.

 

Basically if I have a share folder or unc patch to a server and attempt to change a files attributes i.e. read only or hidden the window will essentially lock up for 20 to 30 seconds when I click apply.  This happens regardless of the user, I even tried domain admin same thing.  It is also regardless of which server I try to connect and make the changes to (we have 7 or 8).  It does not happen from workstation to workstation or server to workstation only workstation to server or server to server, basically only when the target OS the file is on is a Windows Server, I can confirm it happens on Server 2008R2, Server 2012 and Server 2016.  What is more odd is I originally dismissed Sophos due to disabling Sophos via the console login with the tamper protection password and still seeing the issue, basically I can completely disable Sophos and the issue is still there.

However up Microsofts request I uninstalled Sophos, magically the issue disappeared, I then reinstalled and there is was again.  

 

Any Ideas?



This thread was automatically locked due to age.
  • 0

    What does "completely disable Sophos" mean?  Disable all the user mode services from services.msc and reboot?

    What OS is the client?  Are Win 7 and Win 10 equally impacted?

    Does the client have HMPA installed?  If so, the first thing I would do is rename hmpalert.sys in \windows\system32\drivers and reboot.
    With the HMPA driver not loaded it will not inject the HMPA dll into processes which would include Explorer.
    Rulling out HMPA would be the first thing I would try.

    Regards,

    Jak


  • 0 in reply to jak

    The workstations are Windows 10, by disabling I mean going into Admin Login on the server itself, entering in the tamper protection password and turning off every aspect of Sophos, I did this one at a time as well to see if I could narrow it down further.

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to jak

    Does the client have HMPA installed?  Yes

     

    If so, the first thing I would do is rename hmpalert.sys in \windows\system32\drivers and reboot.

     

    Tried, no change in issue.

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    OK, so that pretty much rules out HMPA as the cause, I suppose, you can rename back the driver and we should consider if the issue is with realtime scanning.

    In the Threat Protection policy linked to the client, can you just disable:

    "Enable real-time scanning"

    Re-test, does that help and then disable:
    "Detect malicious behavior (HIPS)"
    Same polucy bur further down.

    This goes most of the way to disabling the more traditional AV component.  You could go one further and stop the "Sophos Anti-Virus service".

    It would also be interesting to try just disbling the scannign of "remote files", which is next to the "Enable real-time scanning" option.

    These options will help understand if it's the main AV component, i.e. Sophos Anti-Virus.


    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak, 

     

    I have narrowed it down to File Integrity Monitoring, this is setup with default settings, I created a new group with it disabled, moved different servers in and out and tested this.  I even tried with multiple accounts and win 10 computers on the connecting side.  In all cases if it is enabled there is a 10 to 20 second delay when clicking apply on attributes through file explorer, i.e. read only or hidden for example.  Once the server in question is removed from the enabled group the delay is gone.

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Hi Badrobot,


    If you create a support case (bottom right), and PM me the details I can escalate it. I'm not aware of any other reports for this, but it should be straight forward to replicate based on the information you have provided.

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    I have already made a case #8790441

     

    It is odd, I am wondering if it is a combination of events that cause it or what?

     

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Hi, I thought I would add to this conversation as I am experiencing the same issue.

     

    When changing a files attributes on our file server (ie, enabling or disabling read only), File Explorer freezes for about 30 seconds after selecting 'Apply'.

    I also have 'File Integrity Monitoring' enabled.

     

    We are using the following:

    Clients - Windows 10 Enterprise with Sophos Intercept X Advanced (with base policies)

    File Server - Windows Server 2012 R2 with Intercept X Advanced for Server (with base policies)

  • 0 in reply to Oliver Parke-Gailey

    Hi Oliver,

    Thanks for adding your report to this thread, it does help us with replication and troubleshooting. I will keep this thread updated with progress.

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    I just want to add some specifics-

     

    We are using

    Windows 10 Pro, if we attempt to change the files from Win 10 Pro, we currently are in a migration away from 2008 R2 so we have 2008 R2, 2012 R2 and 2016 Server and the issue will occur in any of these.  

    Respectfully, 

     

    Badrobot

     

Unfiltered HTML