This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not connecting to Sophos Central; Can't Uninstall due to Tamper Protection

I have a computer that Sophos was installed on, but it has never reported to Sophos Central (not listed when I search, I even got the computers unique ID and put that into the 'https://cloud.sophos.com/manage/devices/computers/UNIQUE_id_HERE/summary'  URL, but it only shows a blank page. )

I checked the logs at \programdata\sophos\management communication system\endpoint\logs\, and the logs show some warnings like the below, but that's from the 14th so it is like sophos isn't trying to check in?

2019-12-14T20:54:12.833Z [ 3732] WARN  The flags file 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\centralFlags.json' could not be opened.

 

Anyone know what else I should check?  I tried to uninstall to just reinstall and hope that would fix it, but i can't get around tamper protection as there is no entry to provide a password. 



This thread was automatically locked due to age.
Parents
  • Hi S Carter,

     

       If the machine was accidentally removed from central, you should be able to find the last known Tamper Protection password here:

    Central.Sophos.com>Logs&Reports>Recover Tamper Protection Password.


    If not, you will need to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377

    Once Tamper Protection has been disabled, you need only run the installer through command line as per the following steps:
    1. Turn off TP
    2. Download installer from correct Central instance
    3. Run:  SophosSetup.exe --registeronly
    4. Turn on TP
    The above steps will cause the machine to register itself with Central.

    Once you see the machine in Central again, please let me know if this also resolves the Management Communication 401 error you are seeing.

     

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
Reply
  • Hi S Carter,

     

       If the machine was accidentally removed from central, you should be able to find the last known Tamper Protection password here:

    Central.Sophos.com>Logs&Reports>Recover Tamper Protection Password.


    If not, you will need to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377

    Once Tamper Protection has been disabled, you need only run the installer through command line as per the following steps:
    1. Turn off TP
    2. Download installer from correct Central instance
    3. Run:  SophosSetup.exe --registeronly
    4. Turn on TP
    The above steps will cause the machine to register itself with Central.

    Once you see the machine in Central again, please let me know if this also resolves the Management Communication 401 error you are seeing.

     

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
Children
  • I don't think it was removed (I checked the Tamper Code recovery report; didn't see it on there), but someone else may have done so.  

     

    I followed the steps to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377 and then rebooted normally.  Sophos is now reporting some services are off (Device control Service; Anti-Virus).  The next step says to 'Turn off TP', which I'm not understanding.  If I open Sophos it still needs a login to get to the admin, if I run SophosSetup.exe --registeronly it gives an error that Tamper protection is still enabled.

    Is there an extra step to turn off TP once I have booted back to win10 normally?  

  • Hi S Carter,

     

       Can you confirm that you performed the "Managed by Sophos Central" steps and not the Enterprise Console steps from https://community.sophos.com/kb/en-us/124377?

    It is expected behavior for Sophos Anti-Virus service to report as stopped as it was disabled while in Safemode, this will effect dependent services as well.

    Please let me know if performing the Central based steps found in the above KB help.

     

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • Yes, i followed the Sophos Central (not the enterprise), but looks like I missed a step in there.  I went back and did that step and now Sophos does not show the 'admin' login anymore (assuming this means TP is off).  Trying the --registeronly with a fresh copy of our installer i just pulled down.  Hopefully that works; will let you know.

  • Tamper Protection was indeed off, it let me do the --registeronly step this time.  Wasn't sure on Re-activation/step4 (re-enable everything from step 1, even the items that were zero already?  only re-activate the ones I had needed to change? etc..), so I just uninstalled and re-installed with the latest version from our cloud instance.  Looks like it worked, the machine is now showing up in Sophos (no prior history before today though, so I'm still pretty sure it never correctly registered rather than it being deleted, but the fix worked either way).

     

    Thanks for your help!

  • Hi  

    Yes, the endpoint does re-register itself when Management communication service resumes. Feel free to reach out to us if you have any further concerns. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi i have noticed the same with one of our endpoints here. I looked in the logs of machines deleted and it doesn't show up there. I will follow the steps to disable TP but this machine was powered off for about 3 weeks, would this have caused it drop off the management console?

  • Hi  

    If the machine does not appear on the central dashboard, it means the endpoint would not communicate with Sophos Central. You will need to disable tamper and re-register the endpoint as stated above in this thread. Let me know how it goes. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi 

    I have just followed the steps to disable TP and it still won't do it

    I have made the registry amendments in safe mode, booted normally and still it is on, any other ideas?

  • Hi  

    After you recover the tamper protection password, could you please follow the below steps and see if it works for you. 

    1. Stop the Sophos MCS Client service and Sophos MCS Agent Service
    2. Go to path C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist and delete the files with Credentials, EndpointIdentity.txt and those with the .xml extension
    3. Restart the Sophos MCS agent service

    After performing above steps, machine should reflect on the Sophos Central dashboard. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi Shweta

    I actually followed the steps to recover the TP password and this is the thing that didn't work. Any other ideas how i can do this?