Most likely Post WINDOWS Monthly Patch Installation, Sophos status is broken.
We started the Windows updates rollout this week and already have multiple devices with this issues now.
Ex- This device was all okay once the update was installed and rebooted Sophos events shows this error.
Anyone else with this problem?
Hi skyisbluescreen
Would you please suggest what is the exact error it is showing under the events?
Shweta
Hello there,
I have updated the Event log in the post. All the machines show the below error :
Everything was normal in these devices Sophos was working fine perfectly. However there was 1903 installed they rebooted and boom Sophos AV service goes missing and other ones too.
Hoping someone from the community can help me through.
------------------------------------------------------------------
I have tried Support:Here is what happens
SDU Logs shared for impacted PC's
Request us back to re install
We Do, and Still same problem.
We Report back, they connect and run a PS SCRIPT or BATCH to remove Sophos, Still issue persists after re install
Request to Re Install the OS
-------------------------------------
Have you tried removing the older version of Anti-virus present using the Sophos ZAP tool? Kindly PM me the case number that you have already registered, so that I can review a few logs.
When AutoUpdate updates, it always checks the OS of the computer to see if it's changed, you see this in
C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log:
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate is starting.2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO AutoUpdate version : 6.4.292.02020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate version : 6.4.292.02020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Build : 20200429173443-7acb03303197f5c0731d6b9c4afc467d5c7ff02e2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform ID: WIN_10_X64 2004 19041.2642020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform upgraded: 0
The values come from:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate
Platform and PlatformRelease string values.
In the case where the current OS and these differ, then AutoUpdate runs the setup plugins of each of the components.
So under \windows\temp you will see the install logs for each component. Can you attach the logs of the failed components to this post?
Regards,Jak
Hello Shweta,
Thank you for your response, Will write to you in more details once we have the results on ZAP Tool.
Looking at the Events and logs it looks like the Monthly patches have caused this problem.
P.S-Updated the POST title to make it more relevant.
Thanks Jak, Deeper investigations has indicated the Windows monthly security patches has caused this and not the Build 1909.
We are trying to get a list of devices broken and verify for the timing of events if they match.Also a list of KB's installed that would need to verified which one could possibly cause this problem.
P.S- I have edited the title of the POST as its Windows Update issue and not the build issue.
Once the system is patched with latest updates, let us know if you are still facing the issue with Sophos
The current patches (installed last week) will be there and we will not patch anytime soon in a months time.
Thank you for the update, let us know how it goes with Sophos ZAP tool.
We have this problem also for several Win10 machines. Solved by run update from Sophos Endpoint UI on "problematic" machines and by several restarts.
In "Sophos Central Console" are "device status" ok, but on some machines is the status Red - "you have to call IT .." (free translation from Czech language").
On fully updated machines and also on machines with some missing patches.
Hi Jiri Hadamek
Devices with red health status on central, does it show any specific service stopped or any other detections?