Issues with server protection on file server

Has anyone seen any issues with Sophos Central on file servers? 

We moved from on the on premises version of Sophos to the Sophos Cloud version.  When I updated our main file servers we started running into an issue where a server would stop serving files after a while (a few hours on the most active one/two weeks on another).  When on the desktop of the server everything seems fine. No CPU/memory/disk issue, \\server\share works fine locally.  

Remotely \\server\share just hangs for 30+ seconds until the connection times out.   Nothing seems to get the server running again except rebooting the whole thing.  It will then work fine for a while then break.   I can't find anything the event log or Sophos logging to point me in the direction of what is breaking.  

After I uninstalled Sophos on the busiest server the issue hasn't returned.  

 

Has anyone run into anything similar? 

 

I do have a ticket created with support.  At this point they just want me to test disabling features one by one until I can narrow the problem down.  I am trying to recreate the issue without needing actual users traffic.  I personally suspect the Cryptoguard (Intercept X?) since that is the part that is also causing us grief on the client side.

  • In reply to GregBeck:

    Hi Greg, last reply from Sophos was yesturday as I chased.

     

    Hello Dale,

    We are trying to get an EAP version of Central Server with these improvements sometime in April. I'll let you know once things are a little more concrete. my ticket Number is 

     

    [#7653550] Intermittent SMB printers being blocked intercept X

     

     

  • In reply to dale roberts:

    Hi Greg/Dale,

    An EAP is not intended to provide a fix for customer issues. If we launch an EAP in CQ2 it will be to introduce new features and should be used on a small number of test Servers, not deployed with the expectation of fixing an issue. I will speak to support to make this clear to them. 

    I am still waiting on confirmation as to the release schedule for the fix for this issue; there is a schedule for both SEC and Central server customers to get an update to CryptoGuard in CQ2.

    Stephen

  • In reply to StephenMcKay:

    Hi Stephen,

     

    I would like to get a clear answer - is the Fileserver problem with Cryptoguard (Hitmanpro Service) fixed or not with a current install of Server Protection?

    To verify, on all of my servers with CryptoGuard installed (old or new, even when disabled) HitmanPro version currently is 3.6.14.616

     

    I am kind of upset - we bought the Central ADVANCED Edition especially to secure against local and remote ransomware attacks. And all I can do for now is disable it and wait for a "soemtime" to be released fix for a reproducable error? Am I mistaken here?

  • In reply to Rouven Schuerken:

    Tell me about it... a fix is not going to be released until Q2 after sophos have announced their share price for the year, they apparently don't do software releases during this period which

    is highly irritating. I found disabling the service even after a short time just let it restart on the servers, have had to remove the component totally. 

  • In reply to Rouven Schuerken:

    Hi Rouven,

    The current shipping version of CryptoGuard does not have the fix for this issue for Server Protection. The fix is planned to go into the latest build of CryptoGuard which is due to be release in Q2.

    Stephen

  • In reply to Rouven Schuerken:

    Hi Rouven,

    we have "only" remove the CryptoGuard on our File-Servers. We must remove the CryptoGuard because, disabling the Service and restart the Server, to deaktivate the "hmpalert" Driver, after a short time, the Service goes to "automaticaly" and starts the Driver again. 

    On the other Servers (Terminal, Service, Application...) it does not seem to be so problematic. We suspect that it comes to the number of accesses and the current change in the amount of data on the file server to this blocks. We discovered this during or after file server migrations or when users changed several GB files.

    "You are a kind of upset" >>>> "We are more than a Kind of upset"

    The support from Germany, 4 months, did not give us any information about our call for this issue, that this is a bug in Sophos CryptoGuard.

    4 months system problems, outages, lost production, financial losses, people who could not work, constant server reboots, troubleshooting by our IT, our supplier, VMware Support, Microsoft Support, Datacore Support ecc.

    We then found the workaround and the confirmation that this is a Sophos problem here in this community, thx you all!

    regards, flog

  • We are using Sophos Central and just purchased and pushed Server Advanced to all of our servers thinking the Cryptoguard feature will be awesome to protect against ransomware. Well to our surprise it has done nothing but bring both of our file servers to their knees every 2 to 5 hours. The issue happening is exactly as described in this thread. Our users and paperless management system make hundreds of changes throughout the day and this seems to be causing Sophos to bring the shares down. Sophos does not report any alerts during this time and only a reboot will fix it, Removed Sophos and the issue is gone. Any news on a fix for this issue??

    Sophos support really needs an overhaul. If your going to have a product like this put a team together that can support it. I've had several issues with Sophos and I've had to solve all of them on my own. Sucks as the product as alot of potential.

  • In reply to Wade Kappenman:

    Wade,

    Out of curiosity what OS are the servers you are having problems with running?  In our environment it is our 2008R2 servers.   When testing I could recreate the problem on 2008R2 but not when I tried 2012R2. 

     

     

  • In reply to GregBeck:

    They are all Windows Server 2008 R2 Standard. 

  • In reply to GregBeck:

    GregBeck,

     

    we have the issue on all Fileserver with Windows Server 2016 Version 1607

    we don´t have anymore Fileserver with Windows Server 2008 R2

    we have two Fileserver with Windows Server 2012 and I can not confirm that we had problems with these, i´m not sure.

     

    Wade Kappenman,

    We have only removed the CryptoGuard and restart the Server after them.

    Check with "fltmc" from the command line if the Driver hmpalert is NOT loaded. GregBeck describe this in his post.

     

    regards

    flog

  • In reply to flog:

    flog

     

    Wade Kappenman,

    We have only removed the CryptoGuard and restart the Server after them.

    Check with "fltmc" from the command line if the Driver hmpalert is NOT loaded. GregBeck describe this in his post.

     

    regards

    flog

     

    I will be reinstalling Sophos this week on these servers with the Cryptoguard piece disabled to see how it goes. I do have a case open with Sophos but since I removed the the AV I'll need to reinstall it with everything enabled to recreate the problem and gather logs. Hopefully they will be able to figure out a fix so we don't have to keep cryptoguard disabled forever.

  • In reply to Wade Kappenman:

    Hello Wade Kappermann,

    deactivating the service is not enough, it reactivates after a certain time and restarts automatically! So it happened to us, after two-three days we had the same problems again.

    We are using Sophos Enterprise Console (inhouse) not Sophos Central (cloud), it is possible that the Installpackage components are different?

    I have a case open with Sophos since October and have already given you some packages (SDU´s from more than 5 different Fileservers and Terminalservers and Client PCs). To me the Sophos Support said, the development has enough of it. But of course you will also send an SDU of your situation.

    I have not heard anything since December from Support in Germany. :-(

    I have open a second case in Italy, they confirm me that Sophos is in the "Fixing Phase" :-)

    Here the answer from 23.Feb 2018:

    Buonasera, il comportamento da lei evidenziato è relativo ad un problema conosciuto in fase di risoluzione.  Per evitare che il problema si presenti è necessario disattivare la componente "Cryptoguard" che sta generando il problema di lentezza o blocco sulle share fino a quando ilprobleama non verrà risolto da un aggiornamento della componente cryptoguard Ho notato intanto he ha aperto un ticket simile (anche se in tedesco mi pare faccia riferimento allo stesso problema) e che il ticket è già scalato. Dovrebbe ricevere informazioni sull'altro ticket in automatico una volta che il problema sarà definitivamente risolto, eventualmente mi faccia sapere se preferisce attendere aggiornamenti su questa segnalazione o su quella aperta al supporto tedesco Per qualsiasi chiarimento ulteriore in merito comunque resto a sua disposizione Regards... 

  • In reply to flog:

    flog

    Hello Wade Kappermann,

    deactivating the service is not enough, it reactivates after a certain time and restarts automatically! So it happened to us, after two-three days we had the same problems again .

    We are using Sophos Enterprise Console (inhouse) not Sophos Central (cloud), it is possible that the Installpackage components are different?

    I have been able to open with Sophos since October and I have already received some packages (SDU's from more than 5 different Fileservers and Terminalservers and Client PCs). To me the Sophos Support said, the development has enough of it. You will also send an SDU of your situation.

    I have not heard anything since December from Support in Germany. :-(

    I have open to second homes in Italy, they confirm me that Sophos is in the "Fixing Phase" :-)

    Here the answer from 23.Feb 2018:

    Good evening, the behavior you highlighted is related to a known problem in the resolution phase. To prevent the problem from occurring you need to disable the "Cryptoguard" component that is generating the problem of slowness or block on the shares until theprobleama will not be resolved by an update of the cryptoguard component I noticed while he opened a similar ticket (also if in German I think it refers to the same problem) and that the ticket is already scaled. Should receive information on the other ticket automatically once the problem will be permanently resolved, possibly let me know if you prefer to wait for updates on this report or on the one open to German support. For any further clarification regarding anyway I remain at your disposal Regards .. 

     

    Thank you for posting this. It certainly sounds like they have enough proof to get this issue resolved. I think I may just turn off the Cryptoguard feature within the server policy and wait for a fix rather then bringing my servers down again.

  • In reply to Wade Kappenman:

    Hi all,

    Thank you to those people that raised support cases and provided logs and details. The development team do have enough information, and are working on a build with a resolution in place that is currently been tested. 

    As yet there is no schedule to release a fix for either SEC or Central customers. As soon as I have dates, i will update this thread. 

    Regards,

    Stephen  

  • In reply to StephenMcKay:

    Stephen,

    Any news from development team?