This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X installs only "half" - how can I fix this ?

Hi to all,

on a few computers we installed Intercept X Endpoint.
The installer was downloaded from our Sophos Central Management Console.
The installation finished without error.
All machines are shown in healty state in the Central Management Console.

But some components seem to be missing.
Even though Sophos is running, Windows security reports missing threat protection.



When I rightclick on a file, I'm missing the scan on demand option of Sophos.


Only defender is present.
Thus some components of Intercept X seem not to have installed.

I'd be happy, if somebody can provide a solution to this.

Best regards
ranX



This thread was automatically locked due to age.
Parents
  • Hello RanX,

    Thank you for reaching out to the Sophos Community. 

    I recommend ensuring that any pending reboots are completed after the initial installation. Once rebooted, check the Sophos Endpoint UI to see if any further updates need to be installed. 

    You can also use the "Sophos Endpoint Self Help" tool to verify the health and installation status of Sophos Antivirus. 

    You may want to check the directory "C:\Windows\temp" for a file by the name of "avremove.log." If there's another AV product installed/detected on the device, some of Sophos' components may not install fully. 

    Let me know what your findings are.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    thanks for the fast reply !
    All respective computers were installed four days ago.
    Thus all of them have been rebootet at least three times.

    I also have run the update function in the informations menu severeal times.
    This doesn't change anything.
    Self help tells me everything is green.

    The previous AV Suite has been completely uninstalled with no errors before Intercept X came into play.
    A file "C:\Windows\temp\avremove.log" is not present.

    When I download Eicar, it is detected and removed by Defender and not by Intercept X
    I got still no idea, what causes this poor behaviour.
    To be true, I pretty dissapointed by Sophos, as things like these should not happen.
    At least I should receive a big fat warning, that Sophos doesn't run properly.
    Instead: everything green ...
    This doesn't build up trust for the reliablity of Sophos AV.

    As I have to enroll this for the whole company soon, I hope for a quick solution.
    Best Regards

    ranX

  • Hi, please take a look at my recent post about installer using a new FQDN to download packages. Maybe you have a similar issue.

    You can check  the logs here to identify issues the installer may have:

    %ProgramData%\Sophos\CloudInstaller\Logs\

  • Thanks for the hint but I see no issues in the Logfile.

  • is it server or client OS?

Reply Children
  • Client OS.
    The server Installations work.
    On all four clients I enrolled so far, Intercept X isn't fully operational.

  • can you show some screenshots of the Sophos components?

    You find it here:

  • that looks good. not like "half" installed.

    Im only aware that defender will not get disabled on server OS automatically. Which OS Version are you using? Maybe this is a Windows 11 or brand new Windows 10 where eventually Defender acts like on Server OS?

    What if you follow the steps to disable Defender? Does the Scan with Sophos appear in right click then?

  • OS is Win 10 Professional.
    The described behaviour seems to be "global" as it appears on all four computers, where I have enrolled Intercept X til now.

    When Defender is disabled, the situation stays the same.
    No Sophos Scan on rightclick; Windows Security reports issues in the taskbar.

  • Additional Info:
    This seems to be a license issue.
    We had the same behaviour on our first test enrollment.
    Then we activated the trial for Intercept X advanced and everything worked as expected.
    After the trial period expired, this issue is back now

  • If you are still testing out Sophos Antivirus, it's possible to request an extension on your trial by getting in touch with our Customer Care team. It’s possible to extend the trial up to 60 days, 

    Once you have purchased a full license or once the trial extension is applied, you can use the following navigation to deploy the additional components to the devices in question. 

    - Open the "Devices" menu
    - Use the tick-boxes to select which devices you'd like to target
    - Select "Manage Endpoint Software" 
    - Use the drop-down menus to specify what changes you'd like to apply

    Let me know if this helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Dear Qoosh,
    I'm afraid my description was a bit imprecise so I'm going to catch up on this:
    We already have a full and paid license of Intercept X !

    Before installing this companywide, me and my colleagues did a test enrollment.
    On all test endpoints, which do not run the server version, we encountered the issue, Intercept X will not work.
    It can't do an on demand scan and it will not detect Eicar.

    One of my colleagues found out, that installation will work with the trial of Intercept X adavanced.
    But now, that our 30 day trial period of "advanced" has run out and we can just choose the standard Version for install, we're back to our issue, we had in the beginning.
    Intercept X is installed but not operational.

    This is pretty annoying behaviour, as even the standard version should do a reliable job.
    Regards
    ranX

  • The right-click scan or "On-demand scan" feature you’re looking for is a part of the "SAV" engine, as opposed to the Intercept X engine. Intercept X is mainly to perform heuristics-based scanning, whereas the "SAV" engine will perform signature-based scans. 

    The Intercept X Essentials license will only include the Intercept X component. If you wish to have both components running in conjunction with one another, it's best to upgrade to the "Intercept X Advanced" license. 

    Let me know if this information helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • So it is normal behaviour, that even after install of Intercept X "Standard" Windows Security will shine up with a warning in the taskbar ?
    And it's also normal behaviour, that not Sophos but Defender is responsible for AV scanning ?
    As already pointed out: when I download Eicar, it will be deleted by Defender and not by Sophos.
    The deletion of Eicar will not show up in the log of Sophos Central.
    So I have no overview, which files have been detected companywide.

    In case this is really intended behaviour, then please tell me what's the purpose of  Intercept X "Standard"  ??
    I tought I have a centralized AV solution, but at present the only benefit I have, is a more or less decorative icon in the taskbar ...