Problem:
Sophos service(s) and Sophos UI.exe won't start when ProfileUnity is installed and Sophos Tamper Protection (STP) is enabled. Sophos also won't get updates or appear to even be working at all. Specifics regarding the Sophos components available here: https://support.sophos.com/support/s/article/KB-000040238?language=en_US
Information:
**First thing to note is that in order to gain back your full AV protection and definition updates you must temporarily disable the Sophos Tamper Protection feature immediately! This will allow Sophos to work as it did before while you adjust what's needed to allow for it to be turned back on.**
There are two conflicts with STP and ProfileUnity:
- The LW filesystem filter driver operating mode, used by FlexApp and ProfileDisk
- The LW UIA service, used by Privilege Elevation, Application Restriction and App Open/Close Trigger Points
There is one area right now that can't be worked around - if you use any of the modules mentioned that depend on the LW UIA service, then you must continue to keep STP disabled until Sophos and LW are able to find a compatible configuration for coexistence. If that's not the case, then you can continue below to determine the best options to allow you to re-enable STP.
Possible Resolutions:
There are multiple avenues for resolution depending on the ProfileUnity feature-set being used in the environment.
Privilege Elevation, Application Restriction and Application Open/Close Trigger Points:
- If NONE of these ProfileUnity modules or features are required or in use then you can safely disable the Liquidware UIA Service in Services.msc on the master image and then evaluate your options under the "FlexApp and ProfileDisk" section as a change is still required there.
- If ANY of these modules or features are required or in use then you must leave STP disabled and the LW UIA Service enabled until a compatible solution is available and performing any further action listed in this KB is optional and only considered preparatory for when UIA+STP compatibility is available.
FlexApp and ProfileDisk:
- If FlexApp or ProfileDisk are NOT in use, you can do the below steps to preserve the ability to use these features easily in the future OR you can set the "Liquidware Container Service" to Disabled in Services.msc and in an elevated cmd prompt run: sc delete cbfsfilter2017 Then after a reboot, in an elevated cmd prompt, run fltmc to confirm that no more entry for "cbfsfilter2017" exists.
- If FlexApp or ProfileDisk are in use (or to prepare for future), enable "MiniFilterMode" and disable "EnableMsiTracking":
a. On your master image (Program Files\ProfileUnity\Flexapp\Container Service\x64 and x86) and within the flexapp.zip in your deployment path, edit VirtFsService.exe.config options "MiniFilterMode" and set it to "True" and also "EnableMsiTracking" and set it to "False".
b. Also on the master image, open regedit.exe, HKLM\SYSTEM\CurrentControlSet\Services\cbfsfilter2017\Parameters and set the value named "MiniFilterMode" to 1.
c. Reboot the master image, login as local admin and in an elevated cmd, run fltmc to confirm that no entries show as Legacy, specifically "cbfsfilter2017".
Product: ProfileUnity-FlexApp
Product Version: RESOLVED IN 6.8.4