This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Real time protection disabled on Mac OS endpoint

2 of our Mac OS endpoints are showing the same high severity alert. Both of these were installed by the end-user using an installer and instructions that we provided for them. I'm wondering if they failed to give Sophos the correct security permissions at the end of the install process. Unfortunately is has been hard to get a hold of them. I sent them this link https://support.sophos.com/support/s/article/KB-000039014?language=en_US but never heard back. I have 2 main questions:

1. These alerts are marked as having occurred 8 days or more in the past and everything but the "legacy" services are showing as running.. Does that mean that they are ongoing or that they have been resolved and I should simply acknowledge them? The alert shows up in the device's Status page ( screenshot below ) and the customer's "Alerts" section in Sophos Central Admin. 

2. If this is an ongoing issue what is the best way to resolve it? There is a "Reinstall Endpoint Protection" option available but I'm thinking maybe connecting to the machines via remote control and using the instructions in the link above would be more reliable. 



This thread was automatically locked due to age.
Parents
  • Hello Owen,

    The alerts are simply to notify you of the issue and regardless of the machine status, you would need to acknowledge them yourself. Based on your screenshot, the issue is still happening - the user needs to follow the steps from the article that you already sent - specifically:

    1. Open System Preferences.
    2. Open Security & Privacy.
    3. There should be a prompt asking to approve Sophos extensions.

    If that fails, the next step would be to do what GlennSen suggested with Recovery mode command. 

    Fixing that will get the services into a green state. You can acknowledge the alert when all services are green, or acknowledge the alert now, as it will not affect the machine status - it really depends what you are using to keep an eye on current issues - machines health status (orange\red\green) or alerts. Some of our customers keep the alert open until the issue is completely resolved and some create a ticket with their own internal IT, then acknowledge the alert. 

    Hope that helps! Please let me know if you have any further questions! 

    If a post solves your question please use the 'Verify Answer' link.

  • Thanks for the assistance everyone. Both users are reporting that there is no entry for Sophos requesting access under Security and Privacy. Physically getting my hands on these machines would be very difficult right now so I'm not sure that I can access the recovery console. I can gain remote access though. Maybe a removal and re-installation of the client? It is interesting that only the "Legacy" services are failing. One Mac is report that they are running. 10.16. I thought that Big Sur was version 11 but it looks like 10.16 might be Big Sur as well. If this is the case what is the best way forward? I cannot get them to downgrade their operating system. 

  • I know there is an Early Release Program for Big Sur. Is this essentially a beta version of the Sophos agent? Can we upgrade them to it behind the scenes?

    Thanks,

  • you can enroll the devices into the EAP if you join it. You can then have the users re-apply the permissions - the EAP forum has the steps attached to it.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Once I removed and then re-installed the agent the "allow" button below appeared. After clicking it the agent checked in and all of the services started. There was also an entry under Privacy\Full Disk Access named "endpoingagent", or something along those lines, which I gave access to. Thanks everyone. 

Reply
  • Once I removed and then re-installed the agent the "allow" button below appeared. After clicking it the agent checked in and all of the services started. There was also an entry under Privacy\Full Disk Access named "endpoingagent", or something along those lines, which I gave access to. Thanks everyone. 

Children
No Data