We use Endpoint/InterceptX and have had the occasional Sophos File Scanner Service stopped issue, but never to the extent we are now. It's been picking up in frequency and today between myself and other IT team member we've had to restart the service almost 20 times today on different Win10 machinesIs there something I can look for this in the logs regarding this. Most if not all of these machines are using a domain account that is fairly limited in permissions, I've been wondering if it could be an update issue?It's not been a big hassle until now, just going to the machine in question, starting services as a local administrator (can't use domain admin because machines are in isolation) and starting the File Scanner service but if we have to do it 20 times a day, it is kind of a hassleThanks for any info, tips, pointers, etc Versions:
Core Agent 184.108.40.206Endpoint Advanced 10.8.11.3Sophos Intercept X 2.20.23Managed Threat Response 220.127.116.11
Core Agent 18.104.22.168
UPDATE 12/6/2021 - The following advisory KBA has been published regarding this issue KB-000043513
Thank you for reaching out to the Sophos Community Forum.
One suggestion I was able to find…
One suggestion I was able to find is as follows. This will increase the grace period for service-startup so that the SFS service will be given more time to come online fully. - The Windows Trace Session Manager service does not start and Event ID 7000 occurs
An alternative option for Isolated machines if you do not wish to make the changes outlined in the article above is as follows. This will require an XDR or MTR license to perform. - Enable Live Discover from "Global Settings"- When a device enters the "Isolated" state, start a "Live Response" session- Enter: sc start "Sophos File Scanner Service" - Enter: sc query "Sophos File Scanner Service"
Let me know if either of these suggestions help.
Thanks!! I will definitely try this out and let you know how it goes, appreciate it!
Kushal -We do have MTR here and the Live Response works like a charm!! This will save us a lot of time, thank you!
Are the computers seeing the issue lower spec? E.g. Spinning disks?
If you restart these computers, do you find that's when the service fails to start? Does it fail 1/10 8/10, etc..?
Do you see anything in the Windows Event Log to suggest the service timed out starting?
The ServicesPipeTimeout DWORD reg value under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" could help with that, I.e. increase the default from 30000 ms to 60000 ms for example
If you can reproduce the issue, or know that restarting the computer will cause it. Could it be related to the size of the log file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFS.log" when it fails?
I'd be interested to know, if you stop the SFS service (disable Tamper first), rename the file out of the way but for reference, then restart the computer, such that a new log is created at boot when it next starts, do you see the issue then?