This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X installs only "half" - how can I fix this ?

Hi to all,

on a few computers we installed Intercept X Endpoint.
The installer was downloaded from our Sophos Central Management Console.
The installation finished without error.
All machines are shown in healty state in the Central Management Console.

But some components seem to be missing.
Even though Sophos is running, Windows security reports missing threat protection.



When I rightclick on a file, I'm missing the scan on demand option of Sophos.


Only defender is present.
Thus some components of Intercept X seem not to have installed.

I'd be happy, if somebody can provide a solution to this.

Best regards
ranX



This thread was automatically locked due to age.
Parents
  • Hello RanX,

    Thank you for reaching out to the Sophos Community. 

    I recommend ensuring that any pending reboots are completed after the initial installation. Once rebooted, check the Sophos Endpoint UI to see if any further updates need to be installed. 

    You can also use the "Sophos Endpoint Self Help" tool to verify the health and installation status of Sophos Antivirus. 

    You may want to check the directory "C:\Windows\temp" for a file by the name of "avremove.log." If there's another AV product installed/detected on the device, some of Sophos' components may not install fully. 

    Let me know what your findings are.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    thanks for the fast reply !
    All respective computers were installed four days ago.
    Thus all of them have been rebootet at least three times.

    I also have run the update function in the informations menu severeal times.
    This doesn't change anything.
    Self help tells me everything is green.

    The previous AV Suite has been completely uninstalled with no errors before Intercept X came into play.
    A file "C:\Windows\temp\avremove.log" is not present.

    When I download Eicar, it is detected and removed by Defender and not by Intercept X
    I got still no idea, what causes this poor behaviour.
    To be true, I pretty dissapointed by Sophos, as things like these should not happen.
    At least I should receive a big fat warning, that Sophos doesn't run properly.
    Instead: everything green ...
    This doesn't build up trust for the reliablity of Sophos AV.

    As I have to enroll this for the whole company soon, I hope for a quick solution.
    Best Regards

    ranX

  • Hi, please take a look at my recent post about installer using a new FQDN to download packages. Maybe you have a similar issue.

    You can check  the logs here to identify issues the installer may have:

    %ProgramData%\Sophos\CloudInstaller\Logs\

  • Thanks for the hint but I see no issues in the Logfile.

  • is it server or client OS?

  • Client OS.
    The server Installations work.
    On all four clients I enrolled so far, Intercept X isn't fully operational.

  • can you show some screenshots of the Sophos components?

    You find it here:

  • that looks good. not like "half" installed.

    Im only aware that defender will not get disabled on server OS automatically. Which OS Version are you using? Maybe this is a Windows 11 or brand new Windows 10 where eventually Defender acts like on Server OS?

    What if you follow the steps to disable Defender? Does the Scan with Sophos appear in right click then?

  • OS is Win 10 Professional.
    The described behaviour seems to be "global" as it appears on all four computers, where I have enrolled Intercept X til now.

    When Defender is disabled, the situation stays the same.
    No Sophos Scan on rightclick; Windows Security reports issues in the taskbar.

  • Additional Info:
    This seems to be a license issue.
    We had the same behaviour on our first test enrollment.
    Then we activated the trial for Intercept X advanced and everything worked as expected.
    After the trial period expired, this issue is back now

Reply
  • Additional Info:
    This seems to be a license issue.
    We had the same behaviour on our first test enrollment.
    Then we activated the trial for Intercept X advanced and everything worked as expected.
    After the trial period expired, this issue is back now

Children
  • If you are still testing out Sophos Antivirus, it's possible to request an extension on your trial by getting in touch with our Customer Care team. It’s possible to extend the trial up to 60 days, 

    Once you have purchased a full license or once the trial extension is applied, you can use the following navigation to deploy the additional components to the devices in question. 

    - Open the "Devices" menu
    - Use the tick-boxes to select which devices you'd like to target
    - Select "Manage Endpoint Software" 
    - Use the drop-down menus to specify what changes you'd like to apply

    Let me know if this helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Dear Qoosh,
    I'm afraid my description was a bit imprecise so I'm going to catch up on this:
    We already have a full and paid license of Intercept X !

    Before installing this companywide, me and my colleagues did a test enrollment.
    On all test endpoints, which do not run the server version, we encountered the issue, Intercept X will not work.
    It can't do an on demand scan and it will not detect Eicar.

    One of my colleagues found out, that installation will work with the trial of Intercept X adavanced.
    But now, that our 30 day trial period of "advanced" has run out and we can just choose the standard Version for install, we're back to our issue, we had in the beginning.
    Intercept X is installed but not operational.

    This is pretty annoying behaviour, as even the standard version should do a reliable job.
    Regards
    ranX

  • The right-click scan or "On-demand scan" feature you’re looking for is a part of the "SAV" engine, as opposed to the Intercept X engine. Intercept X is mainly to perform heuristics-based scanning, whereas the "SAV" engine will perform signature-based scans. 

    The Intercept X Essentials license will only include the Intercept X component. If you wish to have both components running in conjunction with one another, it's best to upgrade to the "Intercept X Advanced" license. 

    Let me know if this information helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • So it is normal behaviour, that even after install of Intercept X "Standard" Windows Security will shine up with a warning in the taskbar ?
    And it's also normal behaviour, that not Sophos but Defender is responsible for AV scanning ?
    As already pointed out: when I download Eicar, it will be deleted by Defender and not by Sophos.
    The deletion of Eicar will not show up in the log of Sophos Central.
    So I have no overview, which files have been detected companywide.

    In case this is really intended behaviour, then please tell me what's the purpose of  Intercept X "Standard"  ??
    I tought I have a centralized AV solution, but at present the only benefit I have, is a more or less decorative icon in the taskbar ...

  • Let me know if disabling Windows Defender allows Intercept X to behave as expected. I gave this a try on a VM and placing an eicar file on the device triggered a detection event from Sophos as expected.

    I suspect the main difference is that Intercept X's scanning is mainly geared towards runtime protection, as opposed to observing the read/write of files. 
    It sounds like Windows Defender is seeing the files being written before Intercept X does, which results in the files being cleaned up before Sophos is able to raise a detection. 

    Regarding the Microsoft Security Center not recognizing that Intercept X is installed, I will try finding out more on this for you and update this thread in the coming days.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Dear Qoosh,

    in one of the postings above, LHerzog already suggested to disable Defender and I already answered, when I do so, this has no effect on the Intercept X behaviour.

    Regards
    ranX

  • I think the basic issue here is:

    The client knows, that there is an expired trial license somewhere for this installation, even if it may/should have been replaced by a paid license (maybe  with less features than the trial and therefore declining to function??)

    Have you tried to remove the client by using the Sophos zap tool? This should delete any Sophos Software completely (hopefully also expired licenses). And then afterwards reinstall by using a fresh installer directly from Central.

    If this is unable to fix it I guess, the information about the trial is stored in Central and applied by the client and can probably only be resolved by Central support team.

  • I think the issue is the handling of licenses in Sophos Central.

    A short history:
    We started our testing when already having a bunch of activated, valid paid licenses in Sophos Central abouth two months ago.
    We installed one test VM, which already failed in the described way.
    My colleague temporarily solved this by activating the Intercept X Advanced Trial.

    After 30 days, when the trial period expired, we fell back to our basic Intercept X License.

    The four machines, I referred to above, where completely new installations, which had never seen Sophos before.
    So this is no issue of trial license remains but an issue of license handling within Sophos Central.

    I have filed this as issue and our Sophos Parnter is "very happy" he has to contact Sophos Support.
    I understand his pain, as I have done a migration of our Sophos UTM to XG a three months before.
    This also involved waiting two weeks for the support's answer.
    (plus many more pain as XG is way beyond UTM according to usability ...)

    Both products should provide my company's data security - both ran miserably from the beginning.
    I am doing this business for more than two decades now; rolled out security solutions from several vendors,
    but NEVER had such poor overall performance of product and support !

    No matter what will happen from now on, Sophos have eagerly worked themselves to my personal blacklist.
    I will happily replace this bunch of crap as soon as the licenses are expired.
    To be true I can't await the day ....

    Sorry for these harsh words, but I'm so fed up with Sophos, yuck !


  • Hello RanX,

    Over the past several months, we have increased our support staff by ~20%, and our team is 100% focused on delivering high-quality, timely support. We’re seeing gradual improvements in performance, and we expect those improvements to continue over the course of the next few weeks and months. 

    I was able to find some discrepancies when testing this on my end, and I believe I have found a solution that will get things working as expected. I will reach out to you via PM to request details on your account to inquire internally to get this addressed. If you do still choose to go a different route, that is entirely understandable. I want to do anything I can to help out as is. 

    Cheers,

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids