10.0.3 Update - SophosScanD stopped

Immediately after an autoupdate installed 10.0.3, SophosScanD is now no longer able to run.   When I run the diagnostic tool, it says the System Extensions "Sophos Can Extension" and "Sophos Network Extension" aren't met, but under privacy settings all Sophos services and extensions are checked.

  • Hi Sam,

    Can you let us know the output to:

    systemextensionsctl list

    Are you using and MDM solutions such as JAMF?

    An SDU would be helpful for our investigation:

    • Go into Central, find the device, and click on the generate SDU button
    • Once the sdu is uploaded, post the file name here so we can extract it and take a look
  • 2 extension(s)
    --- com.apple.system_extension.network_extension
    enabled active teamID bundleID (version) name [state]
    * 2H5GFH3774 com.sophos.endpoint.networkextension (10.0.3/221820) networkextension [activated waiting for user]
    --- com.apple.system_extension.endpoint_security
    enabled active teamID bundleID (version) name [state]
    * 2H5GFH3774 com.sophos.endpoint.scanextension (10.0.3/221821) com.sophos.endpoint.scanextension [activated waiting for user]

    Yes, we use WorkspaceOne for our MDM

  • Hi Sam,

    Thanks for the info, it looks like the upgrade was performed successfully but macOS is requiring an acknowledgement from the user in order to run the updated Scan Extension.

    Is there a notification on the General tab of macOS' Security & Privacy panel? Is so, could you follow it through and let me know if that helps?

  • Hi David - our Mac users are not receiving any notification messages, but are now experiencing web browsing issues. The Sophos Network Extension is at CPU 95% and systems are becoming unusable. We've disabled Web Control with no change. What else should we look at?

  • Same behaviour was seen on most of the devices running BigSur and Sophos EAP.

    These are showing in their status that SophosScanD is not started.

    "Not started: SophosScanD"

    Devices are enrolled and managed by M365  Intune.

  • Hi Nicholas,

    The problem appears to the in the authorization for the scan extension, as shown in the command line output. If it's not authorized it won't run, and that in turns prevents SophosScanD from running correctly.

    If the General tab of macOS' Security & Privacy panel doesn't show anything then perhaps that's something that could be done via MDM - our IT department uses JAMF and is working on allowing/authorizing via that.

  • Hi David,

    We're noticing that all of our M1 Macs that have updated to 10.0.3 have this issue. When running systemextensions ctl, they're all showing 0 extensions

  • Hey Roger, this is peculiar - are you able to take a look in the General tab of the Security and Privacy panel and let me know if there's anything requiring authorization? 

    We'd really love to see an SDU from an affected machine, it would help a lot.

  • hi, we see the same issue , I have to say I dont see a solution that makes sense up to now. I am extremally disappointed with sophos support on the EAP  program . also we dont have a choice when we install new MAC and update as it updates to 11.2.1 and we are stuck

    10.0.3 Update - SophosScanD stopped

  • Hi David, I can confirm that the extensions were present in the General Tab, both SophosScanD and the WebNetworkExtension. Unfortunately for me, as soon as the Web Network Extension was enabled that clashed with Zscaler client and now I have more users complaining about Sophos ... I do have a separate ticket for the other extension but the whole things is very disappointing.