Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 13 subscribers
  • Views 3535 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint/InterceptX File Scanner Service frequent stop

Marco Bartholomew

We use Endpoint/InterceptX and have had the occasional Sophos File Scanner Service stopped issue, but never to the extent we are now. It's been picking up in frequency and today between myself and other IT team member we've had to restart the service almost 20 times today on different Win10 machines

Is there something I can look for this in the logs regarding this. Most if not all of these machines are using a domain account that is fairly limited in permissions, I've been wondering if it could be an update issue?

It's not been a big hassle until now, just going to the machine in question, starting services as a local administrator (can't use domain admin because machines are in isolation) and starting the File Scanner service but if we have to do it 20 times a day, it is kind of a hassle

Thanks for any info, tips, pointers, etc   

Versions:

Core Agent      2.20.4.1
Endpoint Advanced     10.8.11.3
Sophos Intercept X      2.20.23
Managed Threat Response    2.3.0.68

Core Agent      2.20.4.1



This thread was automatically locked due to age.
  • +1

    UPDATE 12/6/2021 - The following advisory KBA has been published regarding this issue KB-000043513


    Hello Marco, 

    Thank you for reaching out to the Sophos Community Forum. 

    One suggestion I was able to find is as follows. This will increase the grace period for service-startup so that the SFS service will be given more time to come online fully. 
    - The Windows Trace Session Manager service does not start and Event ID 7000 occurs

    An alternative option for Isolated machines if you do not wish to make the changes outlined in the article above is as follows. This will require an XDR or MTR license to perform. 
    - Enable Live Discover from "Global Settings"
    - When a device enters the "Isolated" state, start a "Live Response" session
    - Enter: sc start "Sophos File Scanner Service" 
    - Enter: sc query "Sophos File Scanner Service"

    Let me know if either of these suggestions help.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids


    Updated with advisory KB
    [edited by: Qoosh at 6:05 PM (GMT -8) on 6 Dec 2021]
  • 0 in reply to Qoosh

    Thanks!! I will definitely try this out and let you know how it goes, appreciate it!

  • 0 in reply to Qoosh

    Kushal -

    We do have MTR here and the Live Response works like a charm!! This will save us a lot of time, thank you!

  • 0

    Are the computers seeing the issue lower spec?  E.g. Spinning disks?

    If you restart these computers, do you find that's when the service fails to start?  Does it fail 1/10 8/10, etc..?

    Do you see anything in the Windows Event Log to suggest the service timed out starting? 

    The ServicesPipeTimeout DWORD reg value under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" could help with that, I.e. increase the default from 30000 ms to 60000 ms for example

    If you can reproduce the issue, or know that restarting the computer will cause it. Could it be related to the size of the log file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFS.log" when it fails?

    I'd be interested to know, if you stop the SFS service (disable Tamper first), rename the file out of the way but for reference, then restart the computer, such that a new log is created at boot when it next starts, do you see the issue then?

Unfiltered HTML