Bit of an unusual one, we've been running Sophos Advanced Endpoint with Intercept X on our servers and workstations for a couple of years now, and the policies we believe are well bedded in now with minimal changes if any being made to them.
In the last month or so, I've had multiple cases of a users losing internet connectivity through any internet browser. Browsing to all websites fails, yet other network activity continues (Teams, Outlook, OneDrive, network file shares all work fine).
Initially when it first cropped up I thought it an odd bug, I reinstalled endpoint and after a restart the issue would be gone.
I've later found that when it happens, if I disable tamper protection and then disable 'Real time scanning - Internet' it begins to function again and the user can browse.
The problem seems to randomly pop up, so far only with around 3-4 users, but I'm concerned about it becoming more widespread. Also it returns, so I may get a user through the day using this method, and then it'll be fine for a few days/weeks, before randomly returning again.
Any thoughts on what it may be or where in policy I can look to maybe alter to try and avoid or at least troubleshoot this further?
Finally another thing that may or may not be related, the same users affected by the above sometimes get an alert in the corner from Sophos with a red cross saying 'Sophos IPS Stopped'.
I don't see any services stopping for them, and this alone doesn't seem to affect the user or the browsing. One user claims to have noticed it happens when using MS Teams, and doesn't impact whatever he is doing in Teams.
Again any thoughts on the IPS alerts? is it related to the browsing issue in some way? I've reinstalled the client on one of my laptops that is a repeat sufferer of this, and they still have the issue after a reinstall.
Hi, CarlosFandangos,Thank you for reaching us, It seems like there are two different issues going on. hHave you tried applying the hotfix on the problematic device and see if the browsing issue got resolved? You may refer to this KB article on how to run the hotfix. For the IPS query, Can you raise a case to further check as to why you're getting this notification. Also collect SDU logs on the machine where IPS strops working and share it on the case that you're going to raise.
Thanks very much for your reply. I will push out the hotfix to those affected and monitor and aim to return with feedback in a week or so, should give it time to show if improved or not.
I will leave the second issue of IPS warning until after focussing on this browsing issue as this one impacts users more whereas the IPS one is just cosmetic it seems.
Thanks, appreciate the tips
You're always welcome Carl, just keep us posted for the update