on multiple, probably all, machines, I found logs in the SSP.log in C:\ProgramData\Sophos\Endpoint Defense\Logs
with version 4.8.0.968 there were almost nor errors in this log.
The errors started here:
I 2021-08-04T14:47:50.946Z Stopping SSP service
I 2021-08-05T06:53:20.143Z Starting SSP service (Version: 4.8.0.968)
I 2021-08-05T06:53:30.362Z Loaded new rule set: amsi.dec:1.1.835.0;amsi_uac.dec:1.1.835.0;behave.dec:1.0.799;detections.dec:1.1.890.0;ips.dec:1.1.835.0;main.dec:4.8.0.967;static.dec:4.8.0.967;
I 2021-08-05T11:00:01.376Z Loaded new rule set: amsi.dec:1.2.88;amsi_uac.dec:1.2.88;behave.dec:1.0.799;detections.dec:1.2.88;ips.dec:1.2.88;main.dec:4.8.0.967;static.dec:4.9.1.1538;web.dec:1.2.133;
I 2021-08-05T16:30:40.602Z Stopping SSP service
2021-08-06T07:05:56.320Z [ 6044: 6408] A Starting SSP service (Version: 4.9.1.1538)
2021-08-06T07:05:56.401Z [ 6044: 6408] A SXA: Configuration file: C:\ProgramData\Sophos\Endpoint Defense\Config\SXA.conf
2021-08-06T07:06:10.088Z [ 6044: 6408] A Loaded new rule set: amsi.dec:1.2.88;amsi_uac.dec:1.2.88;behave.dec:1.0.799;detections.dec:1.2.88;devicecontrol.dec:4.9.1.1537;ips.dec:1.2.88;main.dec:4.9.1.1537;static.dec:4.9.1.1538;web.dec:1.2.133;
2021-08-06T11:57:34.929Z [ 6044:11352] W Failed to process journal event: Cannot create FiletimeClock time point from invalid filetime: 0
2021-08-06T11:57:34.981Z [ 6044:11352] W Failed to process journal event: Cannot create FiletimeClock time point from invalid filetime: 0
So what we have here is a collection of this errors:
E Failed to send a reply to the driver, error -2145452000 (very often, >5800 events at least on my own computer)
E Failed to send a reply to the driver, error -2147024890
W 32771 is not a valid certificate crypto algorithm
W Failed to process journal event: Cannot create FiletimeClock time point from invalid filetime: 0
W T00000bfc WinHttpSendRequest failed: 12007
Do you have it on your radar?
This thread was automatically locked due to age.