Issue with Sophos Locking up Computers?

Started by Jeff Zylstra, March 11, 2013, 04:37:25 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jeff Zylstra

Anyone had issues with SAV On-Access component locking up computers with Event ID 85 messages?

EVENT ID 563 -  Communication error between on-access driver and service for access of registry key [TWARE\Sophos\SAVService\PP Message] by process ALMon.exe.

EVENT ID 563 -  Communication error between on-access driver and service for access of registry value [-8a4b-b43877bcb1b7 FlushCacheFiles] by process svchost.exe.

EVENT ID 85 File [...stem32\sppsvc.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process svchost.exe, (start check timestamp [ 1ce1e67c73926c0]).

The machine locks up for 10-15 minutes.  Has anyone else seen this?
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

Sysadmin - Parallel42

Jeff Zylstra

Quote from: Bloody Jack Kidd on March 11, 2013, 06:53:05 PM
YES!

Since that was not followed with a "here's how we fixed it" comment, I'm guessing that we're in deep yogurt again and that a fix won't be forthcoming.  I Googled the event IDs and and found issues going back to 2009, which doesn't thrill me.  Supposedly that one was because of an errant HIPS rule which was supposedly fixed.  I installed a Sophos utility to gather logs and Emailed to support, so I hope to be hearing back from them soon. 

I noticed that on both of the offending machines that it starts out with Outlook 2010 becoming unresponsive.  Something about the search indexer in Outlook being stopped or delayed by Sophos On Access. There was also an event ID message about the Intel network cards losing connection momentarily.  I will be updating the NIC drivers shortly in hopes that will fix it as well. I will share results back here, but if anyone has any recommendations, I'm all ears.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

It seems esp. noticeable for us during enterprise-wide updates - like when you change a policy. Sophos has low-level hooks in a few places and for some reason during an update it appears to disrupt communications and then begins yelling at itself.

Kind of like a crazy, drunk, homeless dude... 
Sysadmin - Parallel42

Mark

Quote from: Jeff Zylstra on March 12, 2013, 09:59:54 AM
...if anyone has any recommendations, I'm all ears.

Symantec Endpoint Protection.  Number of times I've had any problems similar to this, or to AVG flagging TAM files: ZER0.

Serious recommendation?  Sorry, I have none.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Bloody Jack Kidd on March 12, 2013, 10:08:12 AM
It seems esp. noticeable for us during enterprise-wide updates - like when you change a policy. Sophos has low-level hooks in a few places and for some reason during an update it appears to disrupt communications and then begins yelling at itself.

Kind of like a crazy, drunk, homeless dude...

Yes, during group policy updates, it sometimes flakes out as well.  Since that often times happens at start up, along with the network connectivity issue, I'm guessing that these could be related.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jeff Zylstra

Still haven't heard a word back from support.  I fear that this is another unfixed problem that will drag on.  NOT happy with Sophos! 

On another not, I turned off the HIPS, heuristic scanning for on access files early this morning.  The System Event Viewer logs show that the errors happen 15 minutes after the computer boots up in the morning when HIPS is turned on, so my guess is that it IS an errant HIPS rule that was recently released. 

In checking logs, I see that several more computer have the issue as well, but only 2 of them lock up because of it.  It seems to have something to do with Outlook's search indexer that makes it lock up.  If anyone else is having issues, please post specifics.  Thank you.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Ben Thoele

Are you running one of the newer versions?  We run Sophos and it seems like there has been a steady increase in the number of problems with the software.  On the other hand Sophos seems to catch a lot of stuff other products don't.  For instance, remember when the ASCnet site was infected, Sophos Endpoint detected that.  Many other people had no clue since their AV didn't detect infected sites.

Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Jeff Zylstra

Quote from: Ben Thoele on March 13, 2013, 05:08:12 PM
Are you running one of the newer versions?  We run Sophos and it seems like there has been a steady increase in the number of problems with the software.  On the other hand Sophos seems to catch a lot of stuff other products don't.  For instance, remember when the ASCnet site was infected, Sophos Endpoint detected that.  Many other people had no clue since their AV didn't detect infected sites.

We are running 10.5 maybe?  Whatever the newest version is.  And yes, the website link detection is good and seems to catch some nasty sites which I appreciate. I just can't have this kind of stuff happening all the time.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

10.0 is the recommended latest branch, whereas 10.2 is the bleeding edge - 10.2 is req'd if you are pushing it out via SEC to Windows 8 / 2012 systems.
Sysadmin - Parallel42

Mark

Quote from: Ben Thoele on March 13, 2013, 05:08:12 PM
...remember when the ASCnet site was infected, Sophos Endpoint detected that.  Many other people had no clue since their AV didn't detect infected sites.

Symantec Endpoint Protection 11 (current is 12 or something) detected that.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bob

AVG did too.  I like how AVG becomes one with the OS making difficult to disable. 

We used Sophos back before popular with NAUGAS/ASCnet and pushed it on the old forums.   It's had it's issues with performance and mistakes so we migrated to AVG Pro and no regrets.  Like all the AVs just need to add exclusion for TAM share or it will quarantine tam chat and sometimes tam.com.

Mark

The only AV I will actually talk smack about or complain about is going to be McAfee.  And I have enough solid reasons for that.  I just like to bring up Symantec kind of a lot because "everyone HATES Symantec" but they are the only one I've never had problems with and the only one I'll use (for now at least).  To be clear, I'm talking SYMANTEC.  Norton is a whole 'nother thing.  Wouldn't touch it if I was paid to (unless it's a lot of money! ;D)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Bloody Jack Kidd on March 13, 2013, 06:42:21 PM
10.0 is the recommended latest branch, whereas 10.2 is the bleeding edge - 10.2 is req'd if you are pushing it out via SEC to Windows 8 / 2012 systems.

Thanks, Rick.  I guess I'm bleeding because I chose bleeding edge - version 10.2.5.   It appears that the one thing the 2 problem child machines have in common is an error message that a Sophos update did not apply.   Error 000000006a and 0000006b.  Both machines say that they have update successfully since then, but I just uninstalled and reinstalled Sophos on these 2 machines.  So far so good, and it has made it past the usual 15 minutes after boot up when it would start to act up, so I am very encouraged.

I must admit that both machines were not members of the SophosAdministrator group, so that could definitely have been the issue why anything more serious than definition updates did not get installed.  Plus, one of the users was a new user too, so it could have been operator/administrator error on my part.

I kick myself for not having the gumption to check the installation history before this.  I just can't believe that I was the one who had to discover this.  It seems like a uninstall/reinstall would have been first on their trouble shooting list, since it took less than 10 minutes on a machine that has been unusable half of the time.  Oh well.  I'm hoping it is fixed now and I can move on.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jeff Zylstra

An update.... 

I have continued to experience lockups, and it has spread to 3rd computer.  Apparently and as Rick has indicated, it is version 10.2.5 that is the culprit.  It has something to do with shares that are excluded from scanning using the "on access" file scanning.  I have removed the exclusions (which were TAM related), and everything is OK for the moment.  The tech said that version 10.2.6 is supposed to be released this afternoon, which fixes this issue. 

The other fix was to roll back to verion 10.2.4, which I am unable to do because I run "Sophos Control Center" instead of "Enterprise Console".  I am downloading Enterprise Console as we speak and will be upgrading this week.   Apparently they are sun-setting Control Center soon which is OK with me because no one ever knows how to find things there when I call.  Just thought everyone would want to know since there are some other Sophos users here.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Ben Thoele

Quote from: Jeff Zylstra on March 19, 2013, 10:22:26 AM
An update.... 

I have continued to experience lockups, and it has spread to 3rd computer.  Apparently and as Rick has indicated, it is version 10.2.5 that is the culprit.  It has something to do with shares that are excluded from scanning using the "on access" file scanning.  I have removed the exclusions (which were TAM related), and everything is OK for the moment.  The tech said that version 10.2.6 is supposed to be released this afternoon, which fixes this issue. 

The other fix was to roll back to verion 10.2.4, which I am unable to do because I run "Sophos Control Center" instead of "Enterprise Console".  I am downloading Enterprise Console as we speak and will be upgrading this week.   Apparently they are sun-setting Control Center soon which is OK with me because no one ever knows how to find things there when I call.  Just thought everyone would want to know since there are some other Sophos users here.

Do you get Patch Assessment with Control Center?  That is the coolest thing.  I run Enterprise Console.  I've also thought about running the Astaro appliance.
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Bloody Jack Kidd

Quote from: Ben Thoele on March 19, 2013, 10:30:50 AM

Do you get Patch Assessment with Control Center?  That is the coolest thing.  I run Enterprise Console.  I've also thought about running the Astaro appliance.

You can download the UTM software that the appliance runs and install it on just about any hardware with reasonable specs "for home use" - good way to test the appliance.
Sysadmin - Parallel42

Jeff Zylstra

Quote from: Ben Thoele on March 19, 2013, 10:30:50 AM
Quote from: Jeff Zylstra on March 19, 2013, 10:22:26 AM
An update.... 

I have continued to experience lockups, and it has spread to 3rd computer.  Apparently and as Rick has indicated, it is version 10.2.5 that is the culprit.  It has something to do with shares that are excluded from scanning using the "on access" file scanning.  I have removed the exclusions (which were TAM related), and everything is OK for the moment.  The tech said that version 10.2.6 is supposed to be released this afternoon, which fixes this issue. 

The other fix was to roll back to verion 10.2.4, which I am unable to do because I run "Sophos Control Center" instead of "Enterprise Console".  I am downloading Enterprise Console as we speak and will be upgrading this week.   Apparently they are sun-setting Control Center soon which is OK with me because no one ever knows how to find things there when I call.  Just thought everyone would want to know since there are some other Sophos users here.

Do you get Patch Assessment with Control Center?  That is the coolest thing.  I run Enterprise Console.  I've also thought about running the Astaro appliance.

What!?  I thought Rick was a genius, and now I find out he's getting insider information through patch assessment?  That's cheating!  ;)   

In answer to your question, no, control center is rather bare bones.  No patch assessment, no additional tools, and no customizations as it only supports one policy for all machines.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jeff Zylstra

Quote from: Bloody Jack Kidd on March 19, 2013, 10:32:59 AM
Quote from: Ben Thoele on March 19, 2013, 10:30:50 AM

Do you get Patch Assessment with Control Center?  That is the coolest thing.  I run Enterprise Console.  I've also thought about running the Astaro appliance.

You can download the UTM software that the appliance runs and install it on just about any hardware with reasonable specs "for home use" - good way to test the appliance.

OK.  Maybe he is a genius.   ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop