windows agent reports services not running yet central shows OK
core 2.5.4 beta
Windows 10 64 1909
windows agent reports services not running yet central shows OK
core 2.5.4 beta
Windows 10 64 1909
Same here
Windows 10 64 1809
Have disabled the EAP, had about 3 Workstations break just now.
Hi both,
Ideally if you can provide an SDU (https://community.sophos.com/kb/en-us/33533) that will help the team troubleshoot.
Questions:
When did you join the EAP?
Please can you advise which Services the Endpoint is reporting an issue with?
Do you have the same issue on all endpoints in the EAP or only some?
Does leaving the EAP resolve the issue?
Regards,
Stephen
I uploaded an sdu through central itself at same time as reporting this here yesterday. d2fc5548-d616-d451-a813-3e4640b743e8_2020-01-01-21-17-09.zip
Joined the eap back in november.
Oddly, that's part of the issue, no services appear to be offline that aren't supposed to be online.
I uploaded an sdu through central itself at same time as reporting this here yesterday. d2fc5548-d616-d451-a813-3e4640b743e8_2020-01-01-21-17-09.zip
Joined the eap back in november.
Oddly, that's part of the issue, no services appear to be offline that aren't supposed to be online.
Thank you, i have the logs and we will investigate this for you. Are you able to answer the following:
Please can you advise which Services the Endpoint is reporting an issue with?
Do you have the same issue on all endpoints in the EAP or only some?
Does leaving the EAP resolve the issue?
Regards,
Stephen
Endpoint Self Help (ESH) uses its own data to determine what services should be present based on a feature list gathered from the SophosUpdate.log file.
Sophos Health, the component that evaluates the EP for the purposes of showing the Health in Sophos UI maintains the status under the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status
I would suggest, export/screenshot the above key so we can see which services/processes are not as expected.
The Health log file will also detail the problem:
%ProgramData%\Sophos\Health\Logs\Health.log
Regards,
Jak
I'm not seeing this on all, currently only 1 device which happens to be a laptop. But I'm only testing on a small handful so far. Luckily I'm not suffering the wifi issue others are.
Here's screenshot of registry. health.log attached
As for which services, that's just it, as mentioned earlier and as you can note in my previous screenshots, the sophos client status shows error complaining of services not running, but when I run sdu, everything seems green
I haven't removed device from eap yet in case development needed something else from it in this pseudo broken state.
All seems to be OK at first glance.
From the Health log, the times when services have been reported as problematic outside of a grace period are a while back and as follows:
2019-08-19T13:20:34.896Z [ 6604] INFO EventPublisher::PostServiceEvent Posting service stopped event: c56bcfbc-711a-41f5-8005-2f2e3db1c316 Sophos Network Threat Protection
2019-10-25T03:35:05.446Z [ 6084] INFO EventPublisher::PostServiceEvent Posting service stopped event: dd806a0a-2150-49ac-9716-6a5af8c3c82e Sophos Device Control Service
2019-10-25T19:27:38.707Z [ 5648] INFO EventPublisher::PostServiceEvent Posting service stopped event: ce294ae9-e5ca-4466-b499-7eb20a33958d Sophos Device Control Service
2019-10-27T04:09:40.760Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: 231bb612-9785-46fc-b01c-e1d30dc62ee4 HitmanPro.Alert service
2019-10-27T04:09:40.760Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: ac32b6bf-c80c-4c49-a625-ec6f53b7032a Sophos Clean Service
2019-10-27T04:09:40.776Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: d3434a0f-6c9f-404c-93cf-12dae5949f22 Sophos Safestore Service
2019-11-05T05:39:10.242Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 4176a2b6-186c-41b7-9d72-8b674d128b2e HitmanPro.Alert service
2019-11-05T05:39:10.321Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 891a4cd5-ccbd-4576-89b5-98fae8863730 Sophos Anti-Virus
2019-11-05T05:39:10.383Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 6556090a-a2ba-4f8a-9f54-4a411f7d0ac4 Sophos Clean Service
2019-11-05T05:39:10.461Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 6b37ff5d-1dca-4dd3-a047-5e1a3230bfbc Sophos Safestore Service
For reference, these events will also be stored in json files under:
%ProgramData%\Sophos\Health\Event Store\Trail\
I can't see all of the service names from the registry screenshot but all the ones listed are showing the service to be running (0). The Health service is responsible for keeping that up to date. If the Health service itself isn't running you get a different state shown in the UI.
I can only see only 2 "service.Sophos E...", which of these 3 are the 2 you have:
I have to assume you don't have EDR Agent, as the other 2 are part of the same component but maybe that's the issue?
It might be worth checking the "IsRunning" values for each of the "ProcessNotification" items under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\ProcessNotification
Given the feature list, health expects:
2020-01-02T01:30:09.161Z [ 5904] INFO ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CONNECT CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD
No: DISKENCRYPTION or MDR features but you have CONNECT which I'm not familiar with but it was added at this time:
2019-10-20T15:15:42.778Z [ 5872] INFO ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD
2019-10-20T15:20:13.422Z [ 5872] INFO ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CONNECT CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD
I assume this list is mirrored in the Features reg value under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\PolicyFeatures?
You can always stop the Health service, delete/rename the SQLite Events.db under %ProgramData%\Sophos\Health\Event Store\Database\ to reset the state but it would be interesting to know why the state is as it is.
Quite odd, no real idea from what you have added.
Jak