Sophos Endpoint/InterceptX File Scanner Service frequent stop

We use Endpoint/InterceptX and have had the occasional Sophos File Scanner Service stopped issue, but never to the extent we are now. It's been picking up in frequency and today between myself and other IT team member we've had to restart the service almost 20 times today on different Win10 machines

Is there something I can look for this in the logs regarding this. Most if not all of these machines are using a domain account that is fairly limited in permissions, I've been wondering if it could be an update issue?

It's not been a big hassle until now, just going to the machine in question, starting services as a local administrator (can't use domain admin because machines are in isolation) and starting the File Scanner service but if we have to do it 20 times a day, it is kind of a hassle

Thanks for any info, tips, pointers, etc   

Versions:

Core Agent      2.20.4.1
Endpoint Advanced     10.8.11.3
Sophos Intercept X      2.20.23
Managed Threat Response    2.3.0.68

Core Agent      2.20.4.1



Added TAGs
[edited by: Qoosh at 11:20 PM (GMT -8) on 2 Dec 2021]

Top Replies

  • UPDATE 12/6/2021 - The following advisory KBA has been published regarding this issue KB-000043513



    Hello Marco, 

    Thank you for reaching out to the Sophos Community Forum. 

    One suggestion I was able to find is as follows. This will increase the grace period for service-startup so that the SFS service will be given more time to come online fully. 
    - The Windows Trace Session Manager service does not start and Event ID 7000 occurs

    An alternative option for Isolated machines if you do not wish to make the changes outlined in the article above is as follows. This will require an XDR or MTR license to perform. 
    - Enable Live Discover from "Global Settings"
    - When a device enters the "Isolated" state, start a "Live Response" session
    - Enter: sc start "Sophos File Scanner Service" 
    - Enter: sc query "Sophos File Scanner Service"

    Let me know if either of these suggestions help.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids


    Updated with advisory KB
    [edited by: Qoosh at 6:05 PM (GMT -8) on 6 Dec 2021]
  • Thanks!! I will definitely try this out and let you know how it goes, appreciate it!

  • Kushal -

    We do have MTR here and the Live Response works like a charm!! This will save us a lot of time, thank you!

  • Are the computers seeing the issue lower spec?  E.g. Spinning disks?

    If you restart these computers, do you find that's when the service fails to start?  Does it fail 1/10 8/10, etc..?

    Do you see anything in the Windows Event Log to suggest the service timed out starting? 

    The ServicesPipeTimeout DWORD reg value under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" could help with that, I.e. increase the default from 30000 ms to 60000 ms for example

    If you can reproduce the issue, or know that restarting the computer will cause it. Could it be related to the size of the log file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFS.log" when it fails?

    I'd be interested to know, if you stop the SFS service (disable Tamper first), rename the file out of the way but for reference, then restart the computer, such that a new log is created at boot when it next starts, do you see the issue then?