Access request from computer denied because it may be unsafe - HP EliteBook

In our company we have three HP Elitebook Dragonfly notebooks, and only those three are causing trouble with "unsafe" computers. I hoped that uninstallig HP Sure * (couple of programs) would help me prevent that, but sadly that's not the case. Do you have any other idea which software, by default installed on the HP computer or actually any other thing/setting could cause the error? 

Thank you for your time and kind regards!

  • I guess you have an XG and this error is as detailed here:

    Reject network connections (sophos.com)

    --

    When a device triggers a red health or missing Security Heartbeat alert, all other devices on the same subnet are informed that the device is unsafe.

    If the unsafe device tries to access another device, you will see an event logged in Sophos Endpoint on the destination device:

    Access request from computer computer name denied because it may be unsafe

    --

    Are the HP Elitebook Dragonfly notebooks showing red health and that's the thing to troubleshoot?

  • Thank you for your reply. Yes, I know about the reject network settings, but I don't want to turn notification/protection off. From 40 computers, only Elitebook Dragonflys are causing this problem. Other users in the network are getting warnings (only about those three notebooks). Sometimes notifications are showing one after another - every minute or two...

    When I check Dragonfly notebooks, they are green (nothing in Events either) in the Central. 

  • My question is really, is Sophos Health reporting the computer as unhealthy and if so, for what reason?  Services stopped/missing/detections/unable to heartbeat when expected?

    \ProgramData\Sophos\Health\Logs\Health.log

    Possibly:

    \ProgramData\Sophos\Heartbeat\Logs\Heartbeat.log

    could help.

    I assume these are the "newer" computers.  Could it be modern standby - Modern Standby | Microsoft Docs. I.e the computer is able to generate network connectivity through the Firewall, but Heartbeat, the Network Threat Protection service is not able to "heartbeat" the XG?

  • I don't know who reports it, but I can see it in the Sophos endpoint on computers under events. And I believe that windows notification is jumping in the right corner. I'll check into Modern Standy, never heard of it, but yeah, could be it. And I'll check logs too. I'll reply when i try it. Those are computers for our directors, so I have pretty limited access to it. Slight smile

  • If you initiate a "Diagnose" log from Central against a device it will create a zip file with all the logs under

    \windows\temp\sdu-<PIDmcsagent.exe>\

    and submit it "to Sophos".  The URL provided in Central can be used by Support to retrieve the SDU file from a S3 bucket. 

    It does leave the zip file in the temp folder.  Not sure if you have access to the computer C$ but if so you could get at it that way to save troubleshooting the logs live or maybe ask the user to provide the generated log.  Usually takes around 3-4 mins to run and create the log.  If the computer is not on, it will collect the command, when it next comes online.

  • Thank you for your reply! I downloaded all the logs from Sophos - Health and Heartbeat, even downloaded events from Windows and Diagnose from central - downloaded that file too from C$. I wrote to HP about the Modern Standby (S0), since there is no option to disable it in BIOS on that notebook. Now i have to go through the logs and check what is the reason for the "unsafe" notebooks. Hope i find something I could use to diagnose the problem.

  • I think I would start with the health log, maybe search using a tool like Notepad++ for all lines that contain:

    "Health state has changed"

    E.g.

    2021-03-16T10:24:38.368Z [ 9768: 4592] [v2.6.2.0] INFO Health state has changed to - Overall: 1, Service: 1, Threat: 1
    2021-03-17T12:16:04.896Z [ 9768: 4592] [v2.6.2.0] INFO Health state has changed to - Overall: 3, Service: 3, Threat: 1
    2021-03-19T09:34:49.512Z [ 4964: 5104] [v2.6.2.0] INFO Health state has changed to - Overall: 3, Service: 3, Threat: 1
    2021-03-19T09:40:33.379Z [ 4964: 5156] [v2.6.2.0] INFO Health state has changed to - Overall: 1, Service: 1, Threat: 1
    2021-03-24T12:14:41.174Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 3, Service: 3, Threat: 1
    2021-03-24T12:14:41.215Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 3, Service: 3, Threat: 1
    2021-03-24T12:15:41.428Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 3, Service: 3, Threat: 1
    2021-03-24T12:15:41.452Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 1, Service: 1, Threat: 1
    2021-03-29T14:48:28.698Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 2, Service: 1, Threat: 2
    2021-03-29T18:04:37.929Z [ 5448: 6184] [v2.6.2.0] INFO Health state has changed to - Overall: 2, Service: 1, Threat: 2

    Under the registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status"

    The SophosHealth service keeps track of services, threats, etc, for example:

    health (1 =OK, 3 is bad)
    service  (1=OK, 3 for example would me a service is stopped)
    threat  (1=OK, 2=something outstanding)

    I believe these values relate to the above log values.  I just wonder what the history of the health is on these computers?

  • Funny, that 99,9% of the log is:

    2021-03-30T13:13:35.301Z [ 5664: 7528] [v2.5.153.0] INFO  Service check result is good: startup grace period is over

    And the ONLY thing I regarding Health state is:

    Line 2660: 2021-03-25T13:13:51.646Z [ 6004: 6620] [v2.5.153.0] INFO  Health state has changed to - Overall: 1, Service: 0, Threat: 0 

    About 20 of lines, all with Overall: 1, Service: 0, Threat: 0  status. And a line before it is always Processing event id: and some "random" number.

    Maybe the only "link" to a problem could be:

    2021-03-30T12:22:24.140Z [ 5664:14008] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:22:24.646Z [ 5664: 2380] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:27:19.297Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:19.809Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:20.316Z [ 5664:11872] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:27:20.316Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:20.834Z [ 5664:15724] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:27:21.351Z [ 5664: 7368] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:27:23.827Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:24.330Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:24.832Z [ 5664: 7524] [v2.5.153.0] INFO Client has connected to pipe
    2021-03-30T12:27:24.847Z [ 5664:18532] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited
    2021-03-30T12:27:25.349Z [ 5664:11608] [v2.5.153.0] INFO Disconnecting client from pipe, as client has exited

    For now I added them to exception list in Reject Network Connections, so that they can connect to servers, but it is not a long term solution.