Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 43 replies
  • Answers 2 answers
  • Subscribers 24 subscribers
  • Views 132016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with server protection on file server

GregBeck

Has anyone seen any issues with Sophos Central on file servers? 

We moved from on the on premises version of Sophos to the Sophos Cloud version.  When I updated our main file servers we started running into an issue where a server would stop serving files after a while (a few hours on the most active one/two weeks on another).  When on the desktop of the server everything seems fine. No CPU/memory/disk issue, \\server\share works fine locally.  

Remotely \\server\share just hangs for 30+ seconds until the connection times out.   Nothing seems to get the server running again except rebooting the whole thing.  It will then work fine for a while then break.   I can't find anything the event log or Sophos logging to point me in the direction of what is breaking.  

After I uninstalled Sophos on the busiest server the issue hasn't returned.  

 

Has anyone run into anything similar? 

 

I do have a ticket created with support.  At this point they just want me to test disabling features one by one until I can narrow the problem down.  I am trying to recreate the issue without needing actual users traffic.  I personally suspect the Cryptoguard (Intercept X?) since that is the part that is also causing us grief on the client side.



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    This is odd and not something that I have seen reported previously. Server Protection forum: https://community.sophos.com/products/server-protection-integration/

    You suspect that this is the CryptoGuard protection; it has local and remote protection options. If a remote attack is detected then write access of the offending IP address is blocked, however the read access is still permitted and so I wouldnt expect the browsing of the share to hang. Note: If users access via a proxy, then we might be blocking access to the proxy IP which would impact all users.

    To test this, you could disable CryptoGuardSMB on the file server. However, before you were to do that, I would expect there to be alerts on the file server than CryptoGuard has had a detection; you can clear the alert with 'Mark as Resolved' which will grant write access agian - at least until another detection is made. Again, I would ensure that this is not an actial ransomware attack before allowing the offending IPs access to the file server.

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    On Friday afternoon I was able to get the problem to happen with the test traffic I was generating.  This time I did get an alert in the web console that CryptoGuard triggered.  This is the first time I actually got an alert.  The alert said it blocked write access from detected IP address but it really blocked read/write to everything. 

    I went to the console and resolved the alert.  The server started working for a very short time after that.  I had enough time to test from one device after it was cleared but by the time I tried a second device the server was back to blocking everything again. 

    In the Windows event log I can see where it triggered for the one device and where it was cleared but no other alerts were logged. 

     

    I know during the sales demo there was a tool to trigger CryptoGuard.  I am hoping support will be able to provide that tool so I can quickly test to see if just triggering CryptoGuard will cause the problem. 

Reply
  • 0 in reply to StephenMcKay

    On Friday afternoon I was able to get the problem to happen with the test traffic I was generating.  This time I did get an alert in the web console that CryptoGuard triggered.  This is the first time I actually got an alert.  The alert said it blocked write access from detected IP address but it really blocked read/write to everything. 

    I went to the console and resolved the alert.  The server started working for a very short time after that.  I had enough time to test from one device after it was cleared but by the time I tried a second device the server was back to blocking everything again. 

    In the Windows event log I can see where it triggered for the one device and where it was cleared but no other alerts were logged. 

     

    I know during the sales demo there was a tool to trigger CryptoGuard.  I am hoping support will be able to provide that tool so I can quickly test to see if just triggering CryptoGuard will cause the problem. 

Children
No Data
Unfiltered HTML