Issues with server protection on file server

Has anyone seen any issues with Sophos Central on file servers? 

We moved from on the on premises version of Sophos to the Sophos Cloud version.  When I updated our main file servers we started running into an issue where a server would stop serving files after a while (a few hours on the most active one/two weeks on another).  When on the desktop of the server everything seems fine. No CPU/memory/disk issue, \\server\share works fine locally.  

Remotely \\server\share just hangs for 30+ seconds until the connection times out.   Nothing seems to get the server running again except rebooting the whole thing.  It will then work fine for a while then break.   I can't find anything the event log or Sophos logging to point me in the direction of what is breaking.  

After I uninstalled Sophos on the busiest server the issue hasn't returned.  

 

Has anyone run into anything similar? 

 

I do have a ticket created with support.  At this point they just want me to test disabling features one by one until I can narrow the problem down.  I am trying to recreate the issue without needing actual users traffic.  I personally suspect the Cryptoguard (Intercept X?) since that is the part that is also causing us grief on the client side.

  • Hello,

    This is odd and not something that I have seen reported previously. Server Protection forum: https://community.sophos.com/products/server-protection-integration/

    You suspect that this is the CryptoGuard protection; it has local and remote protection options. If a remote attack is detected then write access of the offending IP address is blocked, however the read access is still permitted and so I wouldnt expect the browsing of the share to hang. Note: If users access via a proxy, then we might be blocking access to the proxy IP which would impact all users.

    To test this, you could disable CryptoGuardSMB on the file server. However, before you were to do that, I would expect there to be alerts on the file server than CryptoGuard has had a detection; you can clear the alert with 'Mark as Resolved' which will grant write access agian - at least until another detection is made. Again, I would ensure that this is not an actial ransomware attack before allowing the offending IPs access to the file server.

    Regards,

    Stephen

  • In reply to StephenMcKay:

    On Friday afternoon I was able to get the problem to happen with the test traffic I was generating.  This time I did get an alert in the web console that CryptoGuard triggered.  This is the first time I actually got an alert.  The alert said it blocked write access from detected IP address but it really blocked read/write to everything. 

    I went to the console and resolved the alert.  The server started working for a very short time after that.  I had enough time to test from one device after it was cleared but by the time I tried a second device the server was back to blocking everything again. 

    In the Windows event log I can see where it triggered for the one device and where it was cleared but no other alerts were logged. 

     

    I know during the sales demo there was a tool to trigger CryptoGuard.  I am hoping support will be able to provide that tool so I can quickly test to see if just triggering CryptoGuard will cause the problem. 

  • We are having the same issue on a Server 2008R2 file server. It must have been an update from Sophos that triggered it because it was running fine until a week ago.  We were able to remote into the server, but the users were unable to access the shares. There were no Cryptoguard or Sophos Av errors in the logs.  Rebooting the server cleared the issue for a few hours but ultimately the issue returned.  We removed Sophos AV entirely yesterday and 24 hours later the server is still running good.  We will reinstall the AV and disable the Cryptogard function and hope for the best.  On the client side, we have about 60 computers (Win 10 and Win7) so far that become unusable after enabling Intercept-X.  We spent many hours on the phone with support but it is clear that the support team is not familiar enough with intercept-x to support it.  I have a request for a refund of the advanced portion of our licensing because it is causing us so many random problems.  Maybe in another year it will be ready.

     

  • In reply to Steve Roberts1:

    Hi Steve,

    I would like to understand why you are seeing these issues. Please send me a PM if you are able to spend a little time with me to try and resolve your issue.

    Regards,

    Stephen

  • In reply to Steve Roberts1:

    In late September support said they have a few customers reporting the issue.   I could recreate the problem in a lab setup and I provided those build steps to support. 

    My case is still open (#7434401). The dev teams is working on it but there isn't currently an ETA. 

    I currently have the Hitman Pro service disabled on the servers it was causing issues with. 

  • In reply to GregBeck:

    Hey there,

     

    I just installed the Advanced Server Protection on our fileserver (2008 R2) a few days ago (and included Cryptoguard) and have these problems:

     

    - inaccessable file shares

    -> as a result extrem slow(to death) logon/logoff users with roaming profiles

     

    I can see in the file share overview that some users have around 500-1500 open files during logon/logoff, sometimes even more and piling up until i kill the session.

     

    Currently I evaluate Advanced Server Protection 'cause of the Cryptoguard (had a case in a friends company) but right now it looks unusuable.

     

    Can you tell if a disabled Hitman Pro service (under services directly on the server) helped? Or will a disabled Cryptoguard in Central do the same trick?

  • In reply to Rouven Schuerken:

    Disabling the 'HitmanPro.Alert service' is what I have been doing on our server that have the issue.   Once the service is disabled the server will need to be rebooted so the file filter driver is not loaded.  If Sophos pushes a program update then the service will be enabled again so you have to keep an eye out for that. 

    I believe I tested just disabling Cryptoguard in the policy.  I can't recall for sure if worked for not and I can't find it in my notes.  For whatever reason I settled on disabling the service and verify the filter driver wasn't loaded.

     

    To check if the driver is loaded run 'fltmc' from the command line.  If you see 'hmpalert' on the list that means the driver is loaded. 

    >fltmc

    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    hmpalert                                3       345800         0
  • In reply to GregBeck:

    Hi all,

    We can now replicate this issue thanks to the steps provided. The team have a proposed fix for this issue that is currently being reviewed; once i have more details as to a build that fixes this, i will update this thread.

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Hi, i'm experiencing the exact same issue as this 2008r2 with DFS file shares freezing or hanging. only way to resolve is to stop the Hitman pro service.

     

    this was last updated the 13 dec 2017, has there been no further progress?

  • In reply to dale roberts:

    The last I heard from my ticket is that the issue was escalated to Critical and development was testing a fix.  If testing went well then they were hoping to release the fix in Q1 2018. That was also from early December.  I pinged support for an update.  

  • In reply to dale roberts:

    Hi Dale,

    The team has progressed this and has a solution; I am working with them to ascertain which build this will be in and a target to release this to the various products that use HMPA. As soon as I have a confirmed release schedule I will provide an update. 

    We have a release freeze during the holiday period and there is an impact following the meltdown/spectre work; these items have impacted my ability to provide an update any sooner. 

    Regards,

    Stephen

  • In reply to GregBeck:

    Hello,

     

    starting from October we had the same problem as described on our fileservers recurrently.

    We don´t use Sophos Central but we use Sophos Enterprise Console with the Endpoint Client, and we have updated the time before our Fileservers to Windows Server 2016 and we have activate the Extrusion Prevention (= HitmanPro or Intercept-X). We have also updated our Virtualization and Storage System. So we are not sure what new Services and Features cause the new Problem. We have spent a many time and resources to find out the cause of the Problem. We have 1500 Users and any Production Machines wasn’t can work during this issue occurs, so we also had losses many in production.

    Today I was able to talk again to a Sophos support staff. However, this has not told me whether Sophos is now the trigger for this problem or not. No solutions to avoid the problem in the meantime without having to reboot the Server. And so far we did not know if we should continue to search for all other services or not.

    Now I know what to do until Sophos has fixed the problem.

    THX

    regards

    flog

  • In reply to flog:

    Hi Flog, we had to disable the Disabling the 'HitmanPro.Alert service' on the machine and reboot the box this will release the intercept-X element affecting your machine


    From Greg Beck

    To check if the driver is loaded run 'fltmc' from the command line.  If you see 'hmpalert' on the list that means the driver is loaded. 

    >fltmc

    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    hmpalert                                3       345800         0

     

    I've spoken to and raised this with Sophos Who have advised there is a future release planned mid February to resolve these issues.
    Means that my project to roll out central to our network and machines have all but stalled, which is pretty frustrating and we purchased the product in August Last year I identified this issue in october 2017 where it crapped out my file server causing a tonne of issues.
    I reported it to support said it would be addressed in the last load of fixes which did not happen.

    so to summarise disable the service reboot your box. leave standard AV in place until Sophos fixes this known issue.
  • In reply to dale roberts:

    Hello dale Roberts,

    I must remove the exploit prevention module of Sophos Enpoint Software on the File-Servers,
    because the disabled and stopped Service 'HitmanPro.Alert service' automatically reactivate after a few days,
    and I must disable the Service again on more then 12 Servers.
     
    Regards
     
    flog
  • In reply to StephenMcKay:

    Stephen,

    Any updates from the team?