Issues with server protection on file server

We are having the same issue on a Server 2008R2 file server. It must have been an update from Sophos that triggered it because it was running fine until a week ago.  We were able to remote into the server, but the users were unable to access the shares. There were no Cryptoguard or Sophos Av errors in the logs.  Rebooting the server cleared the issue for a few hours but ultimately the issue returned.  We removed Sophos AV entirely yesterday and 24 hours later the server is still running good.  We will reinstall the AV and disable the Cryptogard function and hope for the best.  On the client side, we have about 60 computers (Win 10 and Win7) so far that become unusable after enabling Intercept-X.  We spent many hours on the phone with support but it is clear that the support team is not familiar enough with intercept-x to support it.  I have a request for a refund of the advanced portion of our licensing because it is causing us so many random problems.  Maybe in another year it will be ready.

In late September support said they have a few customers reporting the issue.   I could recreate the problem in a lab setup and I provided those build steps to support. 

My case is still open (#7434401). The dev teams is working on it but there isn't currently an ETA. 

I currently have the Hitman Pro service disabled on the servers it was causing issues with. 

Hey there,

I just installed the Advanced Server Protection on our fileserver (2008 R2) a few days ago (and included Cryptoguard) and have these problems:

- inaccessable file shares

-> as a result extrem slow(to death) logon/logoff users with roaming profiles

I can see in the file share overview that some users have around 500-1500 open files during logon/logoff, sometimes even more and piling up until i kill the session.

Currently I evaluate Advanced Server Protection 'cause of the Cryptoguard (had a case in a friends company) but right now it looks unusuable.

Can you tell if a disabled Hitman Pro service (under services directly on the server) helped? Or will a disabled Cryptoguard in Central do the same trick?

Disabling the 'HitmanPro.Alert service' is what I have been doing on our server that have the issue.   Once the service is disabled the server will need to be rebooted so the file filter driver is not loaded.  If Sophos pushes a program update then the service will be enabled again so you have to keep an eye out for that. 

I believe I tested just disabling Cryptoguard in the policy.  I can't recall for sure if worked for not and I can't find it in my notes.  For whatever reason I settled on disabling the service and verify the filter driver wasn't loaded.

To check if the driver is loaded run 'fltmc' from the command line.  If you see 'hmpalert' on the list that means the driver is loaded. 

>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
hmpalert                                3       345800         0

Hi all,

We can now replicate this issue thanks to the steps provided. The team have a proposed fix for this issue that is currently being reviewed; once i have more details as to a build that fixes this, i will update this thread.

Regards,

Stephen

Hi, i'm experiencing the exact same issue as this 2008r2 with DFS file shares freezing or hanging. only way to resolve is to stop the Hitman pro service.

this was last updated the 13 dec 2017, has there been no further progress?

The last I heard from my ticket is that the issue was escalated to Critical and development was testing a fix.  If testing went well then they were hoping to release the fix in Q1 2018. That was also from early December.  I pinged support for an update.  

Hi Dale,

The team has progressed this and has a solution; I am working with them to ascertain which build this will be in and a target to release this to the various products that use HMPA. As soon as I have a confirmed release schedule I will provide an update. 

We have a release freeze during the holiday period and there is an impact following the meltdown/spectre work; these items have impacted my ability to provide an update any sooner. 

Regards,

Stephen

Hi Dale,

The team has progressed this and has a solution; I am working with them to ascertain which build this will be in and a target to release this to the various products that use HMPA. As soon as I have a confirmed release schedule I will provide an update. 

We have a release freeze during the holiday period and there is an impact following the meltdown/spectre work; these items have impacted my ability to provide an update any sooner. 

Regards,

Stephen

Stephen,

Any updates from the team? 

Hi Greg, last reply from Sophos was yesturday as I chased.

Hello Dale,

We are trying to get an EAP version of Central Server with these improvements sometime in April. I'll let you know once things are a little more concrete. my ticket Number is 

[#7653550] Intermittent SMB printers being blocked intercept X

Hi Greg/Dale,

An EAP is not intended to provide a fix for customer issues. If we launch an EAP in CQ2 it will be to introduce new features and should be used on a small number of test Servers, not deployed with the expectation of fixing an issue. I will speak to support to make this clear to them. 

I am still waiting on confirmation as to the release schedule for the fix for this issue; there is a schedule for both SEC and Central server customers to get an update to CryptoGuard in CQ2.

Stephen

Hi Stephen,

I would like to get a clear answer - is the Fileserver problem with Cryptoguard (Hitmanpro Service) fixed or not with a current install of Server Protection?

To verify, on all of my servers with CryptoGuard installed (old or new, even when disabled) HitmanPro version currently is 3.6.14.616

I am kind of upset - we bought the Central ADVANCED Edition especially to secure against local and remote ransomware attacks. And all I can do for now is disable it and wait for a "soemtime" to be released fix for a reproducable error? Am I mistaken here?

Tell me about it... a fix is not going to be released until Q2 after sophos have announced their share price for the year, they apparently don't do software releases during this period which

is highly irritating. I found disabling the service even after a short time just let it restart on the servers, have had to remove the component totally. 

Hi Rouven,

The current shipping version of CryptoGuard does not have the fix for this issue for Server Protection. The fix is planned to go into the latest build of CryptoGuard which is due to be release in Q2.

Stephen

Hi Rouven,

we have "only" remove the CryptoGuard on our File-Servers. We must remove the CryptoGuard because, disabling the Service and restart the Server, to deaktivate the "hmpalert" Driver, after a short time, the Service goes to "automaticaly" and starts the Driver again. 

On the other Servers (Terminal, Service, Application...) it does not seem to be so problematic. We suspect that it comes to the number of accesses and the current change in the amount of data on the file server to this blocks. We discovered this during or after file server migrations or when users changed several GB files.

"You are a kind of upset" >>>> "We are more than a Kind of upset"

The support from Germany, 4 months, did not give us any information about our call for this issue, that this is a bug in Sophos CryptoGuard.

4 months system problems, outages, lost production, financial losses, people who could not work, constant server reboots, troubleshooting by our IT, our supplier, VMware Support, Microsoft Support, Datacore Support ecc.

We then found the workaround and the confirmation that this is a Sophos problem here in this community, thx you all!

regards, flog