Intercept X installs only "half" - how can I fix this ?

Additional Info:
This seems to be a license issue.
We had the same behaviour on our first test enrollment.
Then we activated the trial for Intercept X advanced and everything worked as expected.
After the trial period expired, this issue is back now

If you are still testing out Sophos Antivirus, it's possible to request an extension on your trial by getting in touch with our Customer Care team. It’s possible to extend the trial up to 60 days, 

Once you have purchased a full license or once the trial extension is applied, you can use the following navigation to deploy the additional components to the devices in question. 

- Open the "Devices" menu
- Use the tick-boxes to select which devices you'd like to target
- Select "Manage Endpoint Software" 
- Use the drop-down menus to specify what changes you'd like to apply

Let me know if this helps.

Dear Qoosh,
I'm afraid my description was a bit imprecise so I'm going to catch up on this:
We already have a full and paid license of Intercept X !

Before installing this companywide, me and my colleagues did a test enrollment.
On all test endpoints, which do not run the server version, we encountered the issue, Intercept X will not work.
It can't do an on demand scan and it will not detect Eicar.

One of my colleagues found out, that installation will work with the trial of Intercept X adavanced.
But now, that our 30 day trial period of "advanced" has run out and we can just choose the standard Version for install, we're back to our issue, we had in the beginning.
Intercept X is installed but not operational.

This is pretty annoying behaviour, as even the standard version should do a reliable job.
Regards
ranX

The right-click scan or "On-demand scan" feature you’re looking for is a part of the "SAV" engine, as opposed to the Intercept X engine. Intercept X is mainly to perform heuristics-based scanning, whereas the "SAV" engine will perform signature-based scans. 

The Intercept X Essentials license will only include the Intercept X component. If you wish to have both components running in conjunction with one another, it's best to upgrade to the "Intercept X Advanced" license. 

Let me know if this information helps.

So it is normal behaviour, that even after install of Intercept X "Standard" Windows Security will shine up with a warning in the taskbar ?
And it's also normal behaviour, that not Sophos but Defender is responsible for AV scanning ?
As already pointed out: when I download Eicar, it will be deleted by Defender and not by Sophos.
The deletion of Eicar will not show up in the log of Sophos Central.
So I have no overview, which files have been detected companywide.

In case this is really intended behaviour, then please tell me what's the purpose of  Intercept X "Standard"  ??
I tought I have a centralized AV solution, but at present the only benefit I have, is a more or less decorative icon in the taskbar ...

Let me know if disabling Windows Defender allows Intercept X to behave as expected. I gave this a try on a VM and placing an eicar file on the device triggered a detection event from Sophos as expected.

I suspect the main difference is that Intercept X's scanning is mainly geared towards runtime protection, as opposed to observing the read/write of files. 
It sounds like Windows Defender is seeing the files being written before Intercept X does, which results in the files being cleaned up before Sophos is able to raise a detection. 

Regarding the Microsoft Security Center not recognizing that Intercept X is installed, I will try finding out more on this for you and update this thread in the coming days.

Dear Qoosh,

in one of the postings above, LHerzog already suggested to disable Defender and I already answered, when I do so, this has no effect on the Intercept X behaviour.

Regards
ranX

I think the basic issue here is:

The client knows, that there is an expired trial license somewhere for this installation, even if it may/should have been replaced by a paid license (maybe  with less features than the trial and therefore declining to function??)

Have you tried to remove the client by using the Sophos zap tool? This should delete any Sophos Software completely (hopefully also expired licenses). And then afterwards reinstall by using a fresh installer directly from Central.

If this is unable to fix it I guess, the information about the trial is stored in Central and applied by the client and can probably only be resolved by Central support team.

I think the issue is the handling of licenses in Sophos Central.

A short history:
We started our testing when already having a bunch of activated, valid paid licenses in Sophos Central abouth two months ago.
We installed one test VM, which already failed in the described way.
My colleague temporarily solved this by activating the Intercept X Advanced Trial.

After 30 days, when the trial period expired, we fell back to our basic Intercept X License.

The four machines, I referred to above, where completely new installations, which had never seen Sophos before.
So this is no issue of trial license remains but an issue of license handling within Sophos Central.

I have filed this as issue and our Sophos Parnter is "very happy" he has to contact Sophos Support.
I understand his pain, as I have done a migration of our Sophos UTM to XG a three months before.
This also involved waiting two weeks for the support's answer.
(plus many more pain as XG is way beyond UTM according to usability ...)

Both products should provide my company's data security - both ran miserably from the beginning.
I am doing this business for more than two decades now; rolled out security solutions from several vendors,
but NEVER had such poor overall performance of product and support !

No matter what will happen from now on, Sophos have eagerly worked themselves to my personal blacklist.
I will happily replace this bunch of crap as soon as the licenses are expired.
To be true I can't await the day ....

Sorry for these harsh words, but I'm so fed up with Sophos, yuck !

Hello RanX,

Over the past several months, we have increased our support staff by ~20%, and our team is 100% focused on delivering high-quality, timely support. We’re seeing gradual improvements in performance, and we expect those improvements to continue over the course of the next few weeks and months. 

I was able to find some discrepancies when testing this on my end, and I believe I have found a solution that will get things working as expected. I will reach out to you via PM to request details on your account to inquire internally to get this addressed. If you do still choose to go a different route, that is entirely understandable. I want to do anything I can to help out as is. 

Cheers,