This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Full Disc Access continues to create errors and pop up daily on workstations

In Macintosh environments, both Catalina and in Big Sur, we are seeing non-stop alert notifications to Allow for Full-Disc Access for the Sophos endpoint client. We have added it, removed it and added it again, done everything we can think of, yet the Alert persists, and keeps prompting users to do it again and again. The Alert informs the end user that the Sophos Endpoint app is NOT protecting their machine, and this is very much creating issues. This is important to be resolved soon, as it has been happening for several weeks now. Please Advise. I understand Big Sur is not supported, but we for CERTAIN have this issue happening in the most recent version of Catalina. 



This thread was automatically locked due to age.
  • Hello,

    It would be great to know, which Sophos Processes are in the "Full Disk Access" list of your Security & Privacy preferences. Alternately you could generate and send in a diagnostics report by opening the endpoint UI, open the about panel, then "Run Diagnostics Tool" and from within that "Launch SDU". This will generate an archive of system logs and configuration,

    Frank  

  • Sophos requests the endpoint app, I have: 

    Endpoint UI Server

    Endpoint 

    Sophos Config D

  • that looks incomplete. You should see the following applications in the list: "Sophos Diagnostics Utility", "SophosScanAgent", "Sophos Endpoint UIServer", "SophosCleanD" and "SophosServiceManager".  If this is not the case, please wait until that dialog appear next time and follow the steps outlined. See if the System Preferences" accepts the drag and drop of the Sophos icon from the dialog to the full disk access table (5 items) after unlocking it with your admin credentials.

    Frank 

  • Reapplied the fix per the pop up window

    Sophos Config D

    Endpoint UIServer 

    Sophos Endpoint

    Maybe reinstall? 

  • please send me the SDU first so I can take a look. frank.fenn at sophos.com

  • Hi,

    there is actually a KBA on this subject in the Sophos home support page. You  need to change your access level in the MAC to locate and add the extra items.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi 

    Sophos needs to be allowed in the General tab of the Security & Privacy window as mentioned in this article. Check out the below video for the issue and see if it helps. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hello,

    In Big Sur I experience the same issue with Sophos Endpoint 9.10.0. The windows to provide "Full Disk Access" and the "Security & Privacy Preferences" continually pop us, although I tried the following things:

    1) Sweeping away the old installation and reinstall of the client.

    2) Providing disk access by following the step by step guide in the windows

    3) Manually add all in the KBA mentioned clients ("Sophos Diagnostics Utility", "SophosScanAgent", "Sophos Endpoint UIServer", "SophosCleanD" and "SophosServiceManager")

    4) A combination of all the aforementioned procedures.

    This issue is very annoying and also the On-Access-Scan is deactivated. 

    Need your help.

    Thanks

    Maik

  • FormerMember
    0 FormerMember in reply to Maik Arnold

    Can you please do these actions:

    1. Verify full disk access
      1. command: sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select client,auth_value from access" | grep -i sophos | sort
        1. expected output:
          /Library/Sophos Managed Detection and Response/SophosMDR|2
          com.sophos.SDU4OSX|2
          com.sophos.SophosScanAgent|2
          com.sophos.autoupdate|2
          com.sophos.endpoint.scanextension|2
          com.sophos.endpoint.uiserver|2
          com.sophos.liveresponse|2
          com.sophos.macendpoint.CleanD|2
          com.sophos.macendpoint.SophosServiceManager|2
          verify status of system extensions
      2. command: systemextensionsctl list | grep -i sophos
        1. expected output:
          * * 2H5GFH3774 com.sophos.endpoint.networkextension (1.0/2) networkextension [activated enabled]
          * * 2H5GFH3774 com.sophos.endpoint.scanextension (1.0/1.0) com.sophos.endpoint.scanextension [activated enabled]
    2. Verify endpoint security client functionality
      1. command: gzcat /Library/Logs/SophosDiagnostics.* | grep -e 'ESServer.*Cache Stat'
        1. expected output: (multiple results of the following liens with a non zero total)
          2020-11-27 12:43:41.104 [SophosServiceManager 83268:7386487 TID:7486301 ESServer PID:79882] [Cache Stat: Total 4424 item(s), hit ratio: 35.089123%, miss ratio: 64.91087%]
          2020-11-27 12:48:41.111 [SophosServiceManager 83268:7386487 TID:7488637 ESServer PID:79882] [Cache Stat: Total 4468 item(s), hit ratio: 34.990402%, miss ratio: 65.0096%]
          2020-11-27 12:53:41.130 [SophosServiceManager 83268:7386487 TID:7490203 ESServer PID:79882] [Cache Stat: Total 4503 item(s), hit ratio: 34.955013%, miss ratio: 65.04499%]
  • Thanks for your reply. I hit the first command in the console but received this message: 

    Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": authorization denied

    What could I do else?

    Best, Maik