This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not connecting to Sophos Central; Can't Uninstall due to Tamper Protection

I have a computer that Sophos was installed on, but it has never reported to Sophos Central (not listed when I search, I even got the computers unique ID and put that into the 'https://cloud.sophos.com/manage/devices/computers/UNIQUE_id_HERE/summary'  URL, but it only shows a blank page. )

I checked the logs at \programdata\sophos\management communication system\endpoint\logs\, and the logs show some warnings like the below, but that's from the 14th so it is like sophos isn't trying to check in?

2019-12-14T20:54:12.833Z [ 3732] WARN  The flags file 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\centralFlags.json' could not be opened.

 

Anyone know what else I should check?  I tried to uninstall to just reinstall and hope that would fix it, but i can't get around tamper protection as there is no entry to provide a password. 



This thread was automatically locked due to age.
Parents
  • Hi S Carter,

     

       If the machine was accidentally removed from central, you should be able to find the last known Tamper Protection password here:

    Central.Sophos.com>Logs&Reports>Recover Tamper Protection Password.


    If not, you will need to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377

    Once Tamper Protection has been disabled, you need only run the installer through command line as per the following steps:
    1. Turn off TP
    2. Download installer from correct Central instance
    3. Run:  SophosSetup.exe --registeronly
    4. Turn on TP
    The above steps will cause the machine to register itself with Central.

    Once you see the machine in Central again, please let me know if this also resolves the Management Communication 401 error you are seeing.

     

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • I don't think it was removed (I checked the Tamper Code recovery report; didn't see it on there), but someone else may have done so.  

     

    I followed the steps to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377 and then rebooted normally.  Sophos is now reporting some services are off (Device control Service; Anti-Virus).  The next step says to 'Turn off TP', which I'm not understanding.  If I open Sophos it still needs a login to get to the admin, if I run SophosSetup.exe --registeronly it gives an error that Tamper protection is still enabled.

    Is there an extra step to turn off TP once I have booted back to win10 normally?  

  • Hi S Carter,

     

       Can you confirm that you performed the "Managed by Sophos Central" steps and not the Enterprise Console steps from https://community.sophos.com/kb/en-us/124377?

    It is expected behavior for Sophos Anti-Virus service to report as stopped as it was disabled while in Safemode, this will effect dependent services as well.

    Please let me know if performing the Central based steps found in the above KB help.

     

    ZGV
    Community Support Engineer | Sophos Technical Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • Yes, i followed the Sophos Central (not the enterprise), but looks like I missed a step in there.  I went back and did that step and now Sophos does not show the 'admin' login anymore (assuming this means TP is off).  Trying the --registeronly with a fresh copy of our installer i just pulled down.  Hopefully that works; will let you know.

  • Tamper Protection was indeed off, it let me do the --registeronly step this time.  Wasn't sure on Re-activation/step4 (re-enable everything from step 1, even the items that were zero already?  only re-activate the ones I had needed to change? etc..), so I just uninstalled and re-installed with the latest version from our cloud instance.  Looks like it worked, the machine is now showing up in Sophos (no prior history before today though, so I'm still pretty sure it never correctly registered rather than it being deleted, but the fix worked either way).

     

    Thanks for your help!

Reply
  • Tamper Protection was indeed off, it let me do the --registeronly step this time.  Wasn't sure on Re-activation/step4 (re-enable everything from step 1, even the items that were zero already?  only re-activate the ones I had needed to change? etc..), so I just uninstalled and re-installed with the latest version from our cloud instance.  Looks like it worked, the machine is now showing up in Sophos (no prior history before today though, so I'm still pretty sure it never correctly registered rather than it being deleted, but the fix worked either way).

     

    Thanks for your help!

Children