Hello guys. I am working on the IT department at a company, and getting this same issue quite recently. I have 20-30 tickets solved with the same issue, but there are more. I was looking for information on the internet about this, and oddly I didn't found anyone having the same problem, which means it might be a company related, network or configuration problem. I am not in a position to having insight of the Sophos Intercept configuration, so can't tell much about it. I am in a position where the users coming with the problems :)
The problem is the following:
1. At various activity the Sophos Intercept blocking something. It's can be an Excel macro, a Java plugin, an SCCM install deployment, can trigger on anything. I didn't found a scheme, and cannot reproduced it by intention.
2. During the next restart a black screen appears with a 8-bit style white text on it: SOPHOS CLEAN, which is there for cca 15 seconds, then booting continues
3. After logging in, the Workstation service cannot be started, because it's lost all of the dependencies from the registry, the registry key simply missing. Since the Workstation service doesn't run, the Netlogon service cannot be started either, so after all no network authentication on the computer.
The solution:
1. Adding back the missing registry key (previously imported from a working machine), restart, so workstation service can run, but after this point still no SMB
2. Removing the Microsoft Network Client from the network center - restart - adding it back solving the problem, and the computer is back online
However, even if the fix is known, and doesn't take much time, the issue is pretty annoying, as need administrator rights for fixing it, which causing problems at a big company.
I made several SDU logs on several computers, but as far as I understand, there is nothing interesting in it, the blocking event is logged, but since the registry damage happening during the restart with black screen, it's not logged there. At least I didn't see in the log "deleting registry key now"
On every computer Windows 7 64-bit Enterprise edition installed. The issue is coming since we introduced Sophos Intercept X.
Core Agent: 11.5.11
Sophos Intercept X: 3.6.10
I am not in the situation of being able to install another version, patch, or change configuration. My question is, what do you think about this, are you experienced this before, is it a known issue with a solution maybe?
This thread was automatically locked due to age.