This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Full Disc Access continues to create errors and pop up daily on workstations

In Macintosh environments, both Catalina and in Big Sur, we are seeing non-stop alert notifications to Allow for Full-Disc Access for the Sophos endpoint client. We have added it, removed it and added it again, done everything we can think of, yet the Alert persists, and keeps prompting users to do it again and again. The Alert informs the end user that the Sophos Endpoint app is NOT protecting their machine, and this is very much creating issues. This is important to be resolved soon, as it has been happening for several weeks now. Please Advise. I understand Big Sur is not supported, but we for CERTAIN have this issue happening in the most recent version of Catalina. 



This thread was automatically locked due to age.
Parents
  • Hello,

    In Big Sur I experience the same issue with Sophos Endpoint 9.10.0. The windows to provide "Full Disk Access" and the "Security & Privacy Preferences" continually pop us, although I tried the following things:

    1) Sweeping away the old installation and reinstall of the client.

    2) Providing disk access by following the step by step guide in the windows

    3) Manually add all in the KBA mentioned clients ("Sophos Diagnostics Utility", "SophosScanAgent", "Sophos Endpoint UIServer", "SophosCleanD" and "SophosServiceManager")

    4) A combination of all the aforementioned procedures.

    This issue is very annoying and also the On-Access-Scan is deactivated. 

    Need your help.

    Thanks

    Maik

  • FormerMember
    0 FormerMember in reply to Maik Arnold

    Can you please do these actions:

    1. Verify full disk access
      1. command: sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select client,auth_value from access" | grep -i sophos | sort
        1. expected output:
          /Library/Sophos Managed Detection and Response/SophosMDR|2
          com.sophos.SDU4OSX|2
          com.sophos.SophosScanAgent|2
          com.sophos.autoupdate|2
          com.sophos.endpoint.scanextension|2
          com.sophos.endpoint.uiserver|2
          com.sophos.liveresponse|2
          com.sophos.macendpoint.CleanD|2
          com.sophos.macendpoint.SophosServiceManager|2
          verify status of system extensions
      2. command: systemextensionsctl list | grep -i sophos
        1. expected output:
          * * 2H5GFH3774 com.sophos.endpoint.networkextension (1.0/2) networkextension [activated enabled]
          * * 2H5GFH3774 com.sophos.endpoint.scanextension (1.0/1.0) com.sophos.endpoint.scanextension [activated enabled]
    2. Verify endpoint security client functionality
      1. command: gzcat /Library/Logs/SophosDiagnostics.* | grep -e 'ESServer.*Cache Stat'
        1. expected output: (multiple results of the following liens with a non zero total)
          2020-11-27 12:43:41.104 [SophosServiceManager 83268:7386487 TID:7486301 ESServer PID:79882] [Cache Stat: Total 4424 item(s), hit ratio: 35.089123%, miss ratio: 64.91087%]
          2020-11-27 12:48:41.111 [SophosServiceManager 83268:7386487 TID:7488637 ESServer PID:79882] [Cache Stat: Total 4468 item(s), hit ratio: 34.990402%, miss ratio: 65.0096%]
          2020-11-27 12:53:41.130 [SophosServiceManager 83268:7386487 TID:7490203 ESServer PID:79882] [Cache Stat: Total 4503 item(s), hit ratio: 34.955013%, miss ratio: 65.04499%]
  • Thanks for your reply. I hit the first command in the console but received this message: 

    Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": authorization denied

    What could I do else?

    Best, Maik

  • FormerMember
    0 FormerMember in reply to Maik Arnold

    is your profile an administrator on the machine? If it isn't, that is why the steps to auth aren't working. You can't just be an user. You have to be an admin.

Reply Children