This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos file scanner did not start

Good Day

For a few months now there has been an issue with 2 of our servers. The file scanner service has stopped working for some reason. I done some research and tried uninstalling and reinstalling the Sophos agent, it worked for a month but now its not working again. I then logged a case with support who said that a few of the sophos endpoints were unavailable during an update:

SophosUpdate

2021-01-12T11:07:42.531Z [16888:16712] [v6.6.386.0] WARN  Failed to get the automatic proxy configuration. The error code was 12180.
2021-01-12T11:07:42.531Z [16888:22168] [v6.6.386.0] INFO  Trying update location: https://dci.sophosupd.com/v3/a/9e/a9ea8c83a1bb8ace183f86d7cebd499bc40e9d91e21bcdfedc5fd3633a1e28e8.dat with proxy: <direct; no proxy>
2021-01-12T11:07:42.692Z [16888:22168] [v6.6.386.0] INFO  404 from location: https://dci.sophosupd.com with proxy: <direct; no proxy>
2021-01-12T11:07:42.694Z [16888:22168] [v6.6.386.0] INFO  Trying update location: https://dci.sophosupd.com/update/0/fe/0fee16ef4788533e56a45b872e64c64f.dat with proxy: <direct; no proxy>

During this communication with support the services started working again, however this morning this morning it stopped again but this time the case has been closed.

Any advice?



This thread was automatically locked due to age.
Parents
  • Hello Ziyaad,

    404 during the update is when a specific file is requested by an endpoint or server during update cycle but it cannot be found. Most often we see this issue when web caching is enabled on your web appliance.  Eg. it's not found, because the machine doesn't go to Sophos Central directly but trying to use web cache. 

    Are you using Sophos XG or UTM appliances by any chance? 

    Does the issue persist if you disable Web Caching?

    On the UTM you can do this by navigating to the UTM > Web Protection > Filtering Options > Misc > Scroll down to Web Caching, uncheck "Force caching for Sophos Endpoint Updates" and apply.

    On the XG you can do this by navigating to XG > Web > General Settings > Web Content Caching > Uncheck "Always cache Sophos Endpoint updates" and apply.

    Regarding File scanner service stopping - there could be many reasons. During the component update, the existing component is getting uninstalled and a new one deployed. If there is an issue, the process is rolled back. In your case, as you have issues with getting some files from Sophos Central, the rollback didn't work all the way properly. We do recommend to look into that 404 updating error \ web caching and check if that will resolve the issue. 

    Once web caching is disabled and if the issue with File scanner service is not resolved, please stop Tamper protection on that machine, stop Sophos AutoUpdate service and rename\delete  C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml - that file contains info about installed components and when it's missing, it will force reinstall all components. Please note that a reboot will be required to re-initialize all defences. 

    If you are still having issues with missing\stopped services at that point then full reinstall using SophosZap tool is recommended, as likely at that point it would be an issue with old registry keys preventing new component to initialize. Here is the article for SophosZap:

    support.sophos.com/.../KB-000038989

    Hope that helps! Please let me know if you have any further questions!

Reply
  • Hello Ziyaad,

    404 during the update is when a specific file is requested by an endpoint or server during update cycle but it cannot be found. Most often we see this issue when web caching is enabled on your web appliance.  Eg. it's not found, because the machine doesn't go to Sophos Central directly but trying to use web cache. 

    Are you using Sophos XG or UTM appliances by any chance? 

    Does the issue persist if you disable Web Caching?

    On the UTM you can do this by navigating to the UTM > Web Protection > Filtering Options > Misc > Scroll down to Web Caching, uncheck "Force caching for Sophos Endpoint Updates" and apply.

    On the XG you can do this by navigating to XG > Web > General Settings > Web Content Caching > Uncheck "Always cache Sophos Endpoint updates" and apply.

    Regarding File scanner service stopping - there could be many reasons. During the component update, the existing component is getting uninstalled and a new one deployed. If there is an issue, the process is rolled back. In your case, as you have issues with getting some files from Sophos Central, the rollback didn't work all the way properly. We do recommend to look into that 404 updating error \ web caching and check if that will resolve the issue. 

    Once web caching is disabled and if the issue with File scanner service is not resolved, please stop Tamper protection on that machine, stop Sophos AutoUpdate service and rename\delete  C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml - that file contains info about installed components and when it's missing, it will force reinstall all components. Please note that a reboot will be required to re-initialize all defences. 

    If you are still having issues with missing\stopped services at that point then full reinstall using SophosZap tool is recommended, as likely at that point it would be an issue with old registry keys preventing new component to initialize. Here is the article for SophosZap:

    support.sophos.com/.../KB-000038989

    Hope that helps! Please let me know if you have any further questions!

Children
No Data