Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 13 subscribers
  • Views 3533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint/InterceptX File Scanner Service frequent stop

Marco Bartholomew

We use Endpoint/InterceptX and have had the occasional Sophos File Scanner Service stopped issue, but never to the extent we are now. It's been picking up in frequency and today between myself and other IT team member we've had to restart the service almost 20 times today on different Win10 machines

Is there something I can look for this in the logs regarding this. Most if not all of these machines are using a domain account that is fairly limited in permissions, I've been wondering if it could be an update issue?

It's not been a big hassle until now, just going to the machine in question, starting services as a local administrator (can't use domain admin because machines are in isolation) and starting the File Scanner service but if we have to do it 20 times a day, it is kind of a hassle

Thanks for any info, tips, pointers, etc   

Versions:

Core Agent      2.20.4.1
Endpoint Advanced     10.8.11.3
Sophos Intercept X      2.20.23
Managed Threat Response    2.3.0.68

Core Agent      2.20.4.1



This thread was automatically locked due to age.
Parents
  • +1

    UPDATE 12/6/2021 - The following advisory KBA has been published regarding this issue KB-000043513


    Hello Marco, 

    Thank you for reaching out to the Sophos Community Forum. 

    One suggestion I was able to find is as follows. This will increase the grace period for service-startup so that the SFS service will be given more time to come online fully. 
    - The Windows Trace Session Manager service does not start and Event ID 7000 occurs

    An alternative option for Isolated machines if you do not wish to make the changes outlined in the article above is as follows. This will require an XDR or MTR license to perform. 
    - Enable Live Discover from "Global Settings"
    - When a device enters the "Isolated" state, start a "Live Response" session
    - Enter: sc start "Sophos File Scanner Service" 
    - Enter: sc query "Sophos File Scanner Service"

    Let me know if either of these suggestions help.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids


    Updated with advisory KB
    [edited by: Qoosh at 6:05 PM (GMT -8) on 6 Dec 2021]
Reply
  • +1

    UPDATE 12/6/2021 - The following advisory KBA has been published regarding this issue KB-000043513


    Hello Marco, 

    Thank you for reaching out to the Sophos Community Forum. 

    One suggestion I was able to find is as follows. This will increase the grace period for service-startup so that the SFS service will be given more time to come online fully. 
    - The Windows Trace Session Manager service does not start and Event ID 7000 occurs

    An alternative option for Isolated machines if you do not wish to make the changes outlined in the article above is as follows. This will require an XDR or MTR license to perform. 
    - Enable Live Discover from "Global Settings"
    - When a device enters the "Isolated" state, start a "Live Response" session
    - Enter: sc start "Sophos File Scanner Service" 
    - Enter: sc query "Sophos File Scanner Service"

    Let me know if either of these suggestions help.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids


    Updated with advisory KB
    [edited by: Qoosh at 6:05 PM (GMT -8) on 6 Dec 2021]
Children
Unfiltered HTML