This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with server protection on file server

Has anyone seen any issues with Sophos Central on file servers? 

We moved from on the on premises version of Sophos to the Sophos Cloud version.  When I updated our main file servers we started running into an issue where a server would stop serving files after a while (a few hours on the most active one/two weeks on another).  When on the desktop of the server everything seems fine. No CPU/memory/disk issue, \\server\share works fine locally.  

Remotely \\server\share just hangs for 30+ seconds until the connection times out.   Nothing seems to get the server running again except rebooting the whole thing.  It will then work fine for a while then break.   I can't find anything the event log or Sophos logging to point me in the direction of what is breaking.  

After I uninstalled Sophos on the busiest server the issue hasn't returned.  

 

Has anyone run into anything similar? 

 

I do have a ticket created with support.  At this point they just want me to test disabling features one by one until I can narrow the problem down.  I am trying to recreate the issue without needing actual users traffic.  I personally suspect the Cryptoguard (Intercept X?) since that is the part that is also causing us grief on the client side.



This thread was automatically locked due to age.
Parents
  • We are having the same issue on a Server 2008R2 file server. It must have been an update from Sophos that triggered it because it was running fine until a week ago.  We were able to remote into the server, but the users were unable to access the shares. There were no Cryptoguard or Sophos Av errors in the logs.  Rebooting the server cleared the issue for a few hours but ultimately the issue returned.  We removed Sophos AV entirely yesterday and 24 hours later the server is still running good.  We will reinstall the AV and disable the Cryptogard function and hope for the best.  On the client side, we have about 60 computers (Win 10 and Win7) so far that become unusable after enabling Intercept-X.  We spent many hours on the phone with support but it is clear that the support team is not familiar enough with intercept-x to support it.  I have a request for a refund of the advanced portion of our licensing because it is causing us so many random problems.  Maybe in another year it will be ready.

     

  • In late September support said they have a few customers reporting the issue.   I could recreate the problem in a lab setup and I provided those build steps to support. 

    My case is still open (#7434401). The dev teams is working on it but there isn't currently an ETA. 

    I currently have the Hitman Pro service disabled on the servers it was causing issues with. 

  • Hi all,

    We can now replicate this issue thanks to the steps provided. The team have a proposed fix for this issue that is currently being reviewed; once i have more details as to a build that fixes this, i will update this thread.

    Regards,

    Stephen

  • Hi, i'm experiencing the exact same issue as this 2008r2 with DFS file shares freezing or hanging. only way to resolve is to stop the Hitman pro service.

     

    this was last updated the 13 dec 2017, has there been no further progress?

  • The last I heard from my ticket is that the issue was escalated to Critical and development was testing a fix.  If testing went well then they were hoping to release the fix in Q1 2018. That was also from early December.  I pinged support for an update.  

  • Hi Dale,

    The team has progressed this and has a solution; I am working with them to ascertain which build this will be in and a target to release this to the various products that use HMPA. As soon as I have a confirmed release schedule I will provide an update. 

    We have a release freeze during the holiday period and there is an impact following the meltdown/spectre work; these items have impacted my ability to provide an update any sooner. 

    Regards,

    Stephen

  • Hello,

     

    starting from October we had the same problem as described on our fileservers recurrently.

    We don´t use Sophos Central but we use Sophos Enterprise Console with the Endpoint Client, and we have updated the time before our Fileservers to Windows Server 2016 and we have activate the Extrusion Prevention (= HitmanPro or Intercept-X). We have also updated our Virtualization and Storage System. So we are not sure what new Services and Features cause the new Problem. We have spent a many time and resources to find out the cause of the Problem. We have 1500 Users and any Production Machines wasn’t can work during this issue occurs, so we also had losses many in production.

    Today I was able to talk again to a Sophos support staff. However, this has not told me whether Sophos is now the trigger for this problem or not. No solutions to avoid the problem in the meantime without having to reboot the Server. And so far we did not know if we should continue to search for all other services or not.

    Now I know what to do until Sophos has fixed the problem.

    THX

    regards

    flog

  • Hi Flog, we had to disable the Disabling the 'HitmanPro.Alert service' on the machine and reboot the box this will release the intercept-X element affecting your machine


    From Greg Beck

    To check if the driver is loaded run 'fltmc' from the command line.  If you see 'hmpalert' on the list that means the driver is loaded. 

    >fltmc

    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    hmpalert                                3       345800         0

     

    I've spoken to and raised this with Sophos Who have advised there is a future release planned mid February to resolve these issues.
    Means that my project to roll out central to our network and machines have all but stalled, which is pretty frustrating and we purchased the product in August Last year I identified this issue in october 2017 where it crapped out my file server causing a tonne of issues.
    I reported it to support said it would be addressed in the last load of fixes which did not happen.

    so to summarise disable the service reboot your box. leave standard AV in place until Sophos fixes this known issue.
  • Hello dale Roberts,

    I must remove the exploit prevention module of Sophos Enpoint Software on the File-Servers,
    because the disabled and stopped Service 'HitmanPro.Alert service' automatically reactivate after a few days,
    and I must disable the Service again on more then 12 Servers.
     
    Regards
     
    flog
  • Stephen,

    Any updates from the team? 

  • Hi Greg, last reply from Sophos was yesturday as I chased.

     

    Hello Dale,

    We are trying to get an EAP version of Central Server with these improvements sometime in April. I'll let you know once things are a little more concrete. my ticket Number is 

     

    [#7653550] Intermittent SMB printers being blocked intercept X

     

     

  • Hi Greg/Dale,

    An EAP is not intended to provide a fix for customer issues. If we launch an EAP in CQ2 it will be to introduce new features and should be used on a small number of test Servers, not deployed with the expectation of fixing an issue. I will speak to support to make this clear to them. 

    I am still waiting on confirmation as to the release schedule for the fix for this issue; there is a schedule for both SEC and Central server customers to get an update to CryptoGuard in CQ2.

    Stephen

Reply
  • Hi Greg/Dale,

    An EAP is not intended to provide a fix for customer issues. If we launch an EAP in CQ2 it will be to introduce new features and should be used on a small number of test Servers, not deployed with the expectation of fixing an issue. I will speak to support to make this clear to them. 

    I am still waiting on confirmation as to the release schedule for the fix for this issue; there is a schedule for both SEC and Central server customers to get an update to CryptoGuard in CQ2.

    Stephen

Children
  • Hi Stephen,

     

    I would like to get a clear answer - is the Fileserver problem with Cryptoguard (Hitmanpro Service) fixed or not with a current install of Server Protection?

    To verify, on all of my servers with CryptoGuard installed (old or new, even when disabled) HitmanPro version currently is 3.6.14.616

     

    I am kind of upset - we bought the Central ADVANCED Edition especially to secure against local and remote ransomware attacks. And all I can do for now is disable it and wait for a "soemtime" to be released fix for a reproducable error? Am I mistaken here?

  • Tell me about it... a fix is not going to be released until Q2 after sophos have announced their share price for the year, they apparently don't do software releases during this period which

    is highly irritating. I found disabling the service even after a short time just let it restart on the servers, have had to remove the component totally. 

  • Hi Rouven,

    The current shipping version of CryptoGuard does not have the fix for this issue for Server Protection. The fix is planned to go into the latest build of CryptoGuard which is due to be release in Q2.

    Stephen

  • Hi Rouven,

    we have "only" remove the CryptoGuard on our File-Servers. We must remove the CryptoGuard because, disabling the Service and restart the Server, to deaktivate the "hmpalert" Driver, after a short time, the Service goes to "automaticaly" and starts the Driver again. 

    On the other Servers (Terminal, Service, Application...) it does not seem to be so problematic. We suspect that it comes to the number of accesses and the current change in the amount of data on the file server to this blocks. We discovered this during or after file server migrations or when users changed several GB files.

    "You are a kind of upset" >>>> "We are more than a Kind of upset"

    The support from Germany, 4 months, did not give us any information about our call for this issue, that this is a bug in Sophos CryptoGuard.

    4 months system problems, outages, lost production, financial losses, people who could not work, constant server reboots, troubleshooting by our IT, our supplier, VMware Support, Microsoft Support, Datacore Support ecc.

    We then found the workaround and the confirmation that this is a Sophos problem here in this community, thx you all!

    regards, flog