This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Server changing file attributes remotely causes explorer to freeze for 20 to 30 seconds

Hi,

I have been having a weird issue, for awhile I thought it was a Windows issues and made a case with Microsoft, after going back and forth with them for about a week or two we realized it was Sophos.

Basically if I have a share folder or unc patch to a server and attempt to change a files attributes i.e. read only or hidden the window will essentially lock up for 20 to 30 seconds when I click apply. This happens regardless of the user, I even tried domain admin same thing. It is also regardless of which server I try to connect and make the changes to (we have 7 or 8). It does not happen from workstation to workstation or server to workstation only workstation to server or server to server, basically only when the target OS the file is on is a Windows Server, I can confirm it happens on Server 2008R2, Server 2012 and Server 2016. What is more odd is I originally dismissed Sophos due to disabling Sophos via the console login with the tamper protection password and still seeing the issue, basically I can completely disable Sophos and the issue is still there.

However up Microsofts request I uninstalled Sophos, magically the issue disappeared, I then reinstalled and there is was again.

Any Ideas?

This thread was automatically locked due to age.

Parents

0 jak over 4 years ago

What does "completely disable Sophos" mean? Disable all the user mode services from services.msc and reboot?

What OS is the client? Are Win 7 and Win 10 equally impacted?

Does the client have HMPA installed? If so, the first thing I would do is rename hmpalert.sys in \windows\system32\drivers and reboot.
With the HMPA driver not loaded it will not inject the HMPA dll into processes which would include Explorer.
Rulling out HMPA would be the first thing I would try.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to jak

Does the client have HMPA installed? Yes

If so, the first thing I would do is rename hmpalert.sys in \windows\system32\drivers and reboot.

Tried, no change in issue.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 4 years ago in reply to Badrobot

OK, so that pretty much rules out HMPA as the cause, I suppose, you can rename back the driver and we should consider if the issue is with realtime scanning.

In the Threat Protection policy linked to the client, can you just disable:

"Enable real-time scanning"

Re-test, does that help and then disable:
"Detect malicious behavior (HIPS)"
Same polucy bur further down.

This goes most of the way to disabling the more traditional AV component. You could go one further and stop the "Sophos Anti-Virus service".

It would also be interesting to try just disbling the scannign of "remote files", which is next to the "Enable real-time scanning" option.

These options will help understand if it's the main AV component, i.e. Sophos Anti-Virus.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 4 years ago in reply to Badrobot

OK, so that pretty much rules out HMPA as the cause, I suppose, you can rename back the driver and we should consider if the issue is with realtime scanning.

In the Threat Protection policy linked to the client, can you just disable:

"Enable real-time scanning"

Re-test, does that help and then disable:
"Detect malicious behavior (HIPS)"
Same polucy bur further down.

This goes most of the way to disabling the more traditional AV component. You could go one further and stop the "Sophos Anti-Virus service".

It would also be interesting to try just disbling the scannign of "remote files", which is next to the "Enable real-time scanning" option.

These options will help understand if it's the main AV component, i.e. Sophos Anti-Virus.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Badrobot over 4 years ago in reply to jak

Hi Jak,

I have narrowed it down to File Integrity Monitoring, this is setup with default settings, I created a new group with it disabled, moved different servers in and out and tested this. I even tried with multiple accounts and win 10 computers on the connecting side. In all cases if it is enabled there is a 10 to 20 second delay when clicking apply on attributes through file explorer, i.e. read only or hidden for example. Once the server in question is removed from the enabled group the delay is gone.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenMcKay over 4 years ago in reply to Badrobot

Hi Badrobot,

If you create a support case (bottom right), and PM me the details I can escalate it. I'm not aware of any other reports for this, but it should be straight forward to replicate based on the information you have provided.

Regards,

Stephen
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to StephenMcKay

I have already made a case #8790441

It is odd, I am wondering if it is a combination of events that cause it or what?

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 Oliver Parke-Gailey over 4 years ago in reply to Badrobot

Hi, I thought I would add to this conversation as I am experiencing the same issue.

When changing a files attributes on our file server (ie, enabling or disabling read only), File Explorer freezes for about 30 seconds after selecting 'Apply'.

I also have 'File Integrity Monitoring' enabled.

We are using the following:

Clients - Windows 10 Enterprise with Sophos Intercept X Advanced (with base policies)

File Server - Windows Server 2012 R2 with Intercept X Advanced for Server (with base policies)
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenMcKay over 4 years ago in reply to Oliver Parke-Gailey

Hi Oliver,

Thanks for adding your report to this thread, it does help us with replication and troubleshooting. I will keep this thread updated with progress.

Regards,

Stephen
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to StephenMcKay

I just want to add some specifics-

We are using

Windows 10 Pro, if we attempt to change the files from Win 10 Pro, we currently are in a migration away from 2008 R2 so we have 2008 R2, 2012 R2 and 2016 Server and the issue will occur in any of these.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to StephenMcKay

Has there been any movement on this?

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenMcKay over 4 years ago in reply to Badrobot

Let me check with the team tomorrow and provide an update.

We were looking at replication of the issue in house as well as escalating the case.

Regards,

Stephen
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to StephenMcKay

I have noticed other issues based on licensing, i.e. Win 10 Pro vs Win 10 Enterprise, something to consider when looking into in house replication. For example I seen a different issue with DLP and using Office 365 for Business licensing where you could not make changes to make it work but you could with e5 licensing.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 Oliver Parke-Gailey over 4 years ago in reply to StephenMcKay

Was there any update or resolution for this issue at all?
Cancel
Vote Up 0 Vote Down

Cancel