This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with server protection on file server

Has anyone seen any issues with Sophos Central on file servers? 

We moved from on the on premises version of Sophos to the Sophos Cloud version.  When I updated our main file servers we started running into an issue where a server would stop serving files after a while (a few hours on the most active one/two weeks on another).  When on the desktop of the server everything seems fine. No CPU/memory/disk issue, \\server\share works fine locally.  

Remotely \\server\share just hangs for 30+ seconds until the connection times out.   Nothing seems to get the server running again except rebooting the whole thing.  It will then work fine for a while then break.   I can't find anything the event log or Sophos logging to point me in the direction of what is breaking.  

After I uninstalled Sophos on the busiest server the issue hasn't returned.  

 

Has anyone run into anything similar? 

 

I do have a ticket created with support.  At this point they just want me to test disabling features one by one until I can narrow the problem down.  I am trying to recreate the issue without needing actual users traffic.  I personally suspect the Cryptoguard (Intercept X?) since that is the part that is also causing us grief on the client side.



This thread was automatically locked due to age.
Parents
  • We are using Sophos Central and just purchased and pushed Server Advanced to all of our servers thinking the Cryptoguard feature will be awesome to protect against ransomware. Well to our surprise it has done nothing but bring both of our file servers to their knees every 2 to 5 hours. The issue happening is exactly as described in this thread. Our users and paperless management system make hundreds of changes throughout the day and this seems to be causing Sophos to bring the shares down. Sophos does not report any alerts during this time and only a reboot will fix it, Removed Sophos and the issue is gone. Any news on a fix for this issue??

    Sophos support really needs an overhaul. If your going to have a product like this put a team together that can support it. I've had several issues with Sophos and I've had to solve all of them on my own. Sucks as the product as alot of potential.

  • Wade,

    Out of curiosity what OS are the servers you are having problems with running?  In our environment it is our 2008R2 servers.   When testing I could recreate the problem on 2008R2 but not when I tried 2012R2. 

     

     

  • flog said:

     

    Wade Kappenman,

    We have only removed the CryptoGuard and restart the Server after them.

    Check with "fltmc" from the command line if the Driver hmpalert is NOT loaded. GregBeck describe this in his post.

     

    regards

    flog

     

    I will be reinstalling Sophos this week on these servers with the Cryptoguard piece disabled to see how it goes. I do have a case open with Sophos but since I removed the the AV I'll need to reinstall it with everything enabled to recreate the problem and gather logs. Hopefully they will be able to figure out a fix so we don't have to keep cryptoguard disabled forever.

  • Hello Wade Kappermann,

    deactivating the service is not enough, it reactivates after a certain time and restarts automatically! So it happened to us, after two-three days we had the same problems again.

    We are using Sophos Enterprise Console (inhouse) not Sophos Central (cloud), it is possible that the Installpackage components are different?

    I have a case open with Sophos since October and have already given you some packages (SDU´s from more than 5 different Fileservers and Terminalservers and Client PCs). To me the Sophos Support said, the development has enough of it. But of course you will also send an SDU of your situation.

    I have not heard anything since December from Support in Germany. :-(

    I have open a second case in Italy, they confirm me that Sophos is in the "Fixing Phase" :-)

    Here the answer from 23.Feb 2018:

    Buonasera, il comportamento da lei evidenziato è relativo ad un problema conosciuto in fase di risoluzione.  Per evitare che il problema si presenti è necessario disattivare la componente "Cryptoguard" che sta generando il problema di lentezza o blocco sulle share fino a quando ilprobleama non verrà risolto da un aggiornamento della componente cryptoguard Ho notato intanto he ha aperto un ticket simile (anche se in tedesco mi pare faccia riferimento allo stesso problema) e che il ticket è già scalato. Dovrebbe ricevere informazioni sull'altro ticket in automatico una volta che il problema sarà definitivamente risolto, eventualmente mi faccia sapere se preferisce attendere aggiornamenti su questa segnalazione o su quella aperta al supporto tedesco Per qualsiasi chiarimento ulteriore in merito comunque resto a sua disposizione Regards... 

  • flog said:

    Hello Wade Kappermann,

    deactivating the service is not enough, it reactivates after a certain time and restarts automatically! So it happened to us, after two-three days we had the same problems again .

    We are using Sophos Enterprise Console (inhouse) not Sophos Central (cloud), it is possible that the Installpackage components are different?

    I have been able to open with Sophos since October and I have already received some packages (SDU's from more than 5 different Fileservers and Terminalservers and Client PCs). To me the Sophos Support said, the development has enough of it. You will also send an SDU of your situation.

    I have not heard anything since December from Support in Germany. :-(

    I have open to second homes in Italy, they confirm me that Sophos is in the "Fixing Phase" :-)

    Here the answer from 23.Feb 2018:

    Good evening, the behavior you highlighted is related to a known problem in the resolution phase. To prevent the problem from occurring you need to disable the "Cryptoguard" component that is generating the problem of slowness or block on the shares until theprobleama will not be resolved by an update of the cryptoguard component I noticed while he opened a similar ticket (also if in German I think it refers to the same problem) and that the ticket is already scaled. Should receive information on the other ticket automatically once the problem will be permanently resolved, possibly let me know if you prefer to wait for updates on this report or on the one open to German support. For any further clarification regarding anyway I remain at your disposal Regards .. 

     

    Thank you for posting this. It certainly sounds like they have enough proof to get this issue resolved. I think I may just turn off the Cryptoguard feature within the server policy and wait for a fix rather then bringing my servers down again.

  • Hi all,

    Thank you to those people that raised support cases and provided logs and details. The development team do have enough information, and are working on a build with a resolution in place that is currently been tested. 

    As yet there is no schedule to release a fix for either SEC or Central customers. As soon as I have dates, i will update this thread. 

    Regards,

    Stephen  

  • Stephen,

    Any news from development team?

  • Hi Greg,

    Yes, I do have an update for you. Progress is being made and the testing of this fix (and several other fixes) is now complete and a build is underway. Following our standard rollout process, this will be released to Sophos internal servers first, prior to being rolled out to customer product lines. Unfortunately I don't have firm dates yet, but I anticipate Sophos Enterprise Console managed servers receiving the fix within the next few weeks, with Sophos Central managed servers receiving the fix thereafter.

    We are due to release a Sophos Central Early Access Program (EAP) containing new features for Windows Servers next week. The current plan is to include the fix for this issue in a planned EAP “refresh” release next month, and then to the generally available product in the July timeframe. So while the timeline for the fix is not immediate, there is light at the end of the tunnel. I appreciate that you have been waiting for this fix for some time now.

    Regards

    Stephen

  • I see there is a new update for servers out on Sophos Central.   Is this the update that contains our fix?  

     

    Version 1.5.6 Update
    HitManPro.Alert (CryptoGuard) has been updated to address a customer issue.

  • Hi GregBeck,

    I am following up with the appropriate groups in order to confirm if that's the fix you need.  

    I will update this post as soon as I get the info. 

    Thank you very much for your patience, 

     

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Hi GregBeck,
     
    Here's the latest information regarding this fix: 
     
    Unfortunately, The Central Server v1.5.6 release - "HitManPro.Alert (CryptoGuard) has been updated to address a customer issue." - did not include the fix for this specific issue you are referring to.
     
    The development of the solution for the issue you are experiencing is almost complete, but it has not yet been released as it requires additional testing.
     
    The current plan is to include this fix via the Early Access Program, but we do not have the exact dates as to when will that EAP version become available right now (the desired time frame is the next couple of weeks, but this can change).  
    The expected official release for the fix is on-plan for mid July (subject to change based on further testing) .
     
    Please let me know if you have any additional questions. 
     
    We greatly appreciate your patience and understanding.  

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Hi all,

    Today we have started to release the latest build that includes a fix for this issue to the EAP. The rollout will continue until Tuesday, this is only an Early Access Program (EAP) and so shouldn't be used for production servers. 

    Assuming a successful release to the EAP I am expecting to roll it our to all customers in the next few weeks.

    Regards,

    Stephen 

Reply
  • Hi all,

    Today we have started to release the latest build that includes a fix for this issue to the EAP. The rollout will continue until Tuesday, this is only an Early Access Program (EAP) and so shouldn't be used for production servers. 

    Assuming a successful release to the EAP I am expecting to roll it our to all customers in the next few weeks.

    Regards,

    Stephen 

Children