Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Real time protection disabled on Mac OS endpoint

2 of our Mac OS endpoints are showing the same high severity alert. Both of these were installed by the end-user using an installer and instructions that we provided for them. I'm wondering if they failed to give Sophos the correct security permissions at the end of the install process. Unfortunately is has been hard to get a hold of them. I sent them this link but never heard back. I have 2 main questions:

1. These alerts are marked as having occurred 8 days or more in the past and everything but the "legacy" services are showing as running.. Does that mean that they are ongoing or that they have been resolved and I should simply acknowledge them? The alert shows up in the device's Status page ( screenshot below ) and the customer's "Alerts" section in Sophos Central Admin. 

2. If this is an ongoing issue what is the best way to resolve it? There is a "Reinstall Endpoint Protection" option available but I'm thinking maybe connecting to the machines via remote control and using the instructions in the link above would be more reliable. 

Clarification on services currently running.
[edited by: Owen Brearley at 4:59 PM (GMT -8) on 12 Jan 2021]
  • Hi ,

    For question # 1, You can try to acknowledge those alerts. you will be able to verify if this is solved as it will change the status of those missing components to a "running" status. If you observed the same issue after you acknowledge the alerts. You may proceed with applying the below steps to changes the Kext permission on the system.

    Boot into macOS Recovery mode.
    Open Terminal.
    Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774
    Reboot the affected Mac

    In Addition, may I know if the devices are currently running Big Sur OS?

    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.