This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint/InterceptX File Scanner Service frequent stop

We use Endpoint/InterceptX and have had the occasional Sophos File Scanner Service stopped issue, but never to the extent we are now. It's been picking up in frequency and today between myself and other IT team member we've had to restart the service almost 20 times today on different Win10 machines

Is there something I can look for this in the logs regarding this. Most if not all of these machines are using a domain account that is fairly limited in permissions, I've been wondering if it could be an update issue?

It's not been a big hassle until now, just going to the machine in question, starting services as a local administrator (can't use domain admin because machines are in isolation) and starting the File Scanner service but if we have to do it 20 times a day, it is kind of a hassle

Thanks for any info, tips, pointers, etc   

Versions:

Core Agent      2.20.4.1
Endpoint Advanced     10.8.11.3
Sophos Intercept X      2.20.23
Managed Threat Response    2.3.0.68

Core Agent      2.20.4.1



This thread was automatically locked due to age.
Parents
  • Are the computers seeing the issue lower spec?  E.g. Spinning disks?

    If you restart these computers, do you find that's when the service fails to start?  Does it fail 1/10 8/10, etc..?

    Do you see anything in the Windows Event Log to suggest the service timed out starting? 

    The ServicesPipeTimeout DWORD reg value under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" could help with that, I.e. increase the default from 30000 ms to 60000 ms for example

    If you can reproduce the issue, or know that restarting the computer will cause it. Could it be related to the size of the log file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFS.log" when it fails?

    I'd be interested to know, if you stop the SFS service (disable Tamper first), rename the file out of the way but for reference, then restart the computer, such that a new log is created at boot when it next starts, do you see the issue then?

Reply
  • Are the computers seeing the issue lower spec?  E.g. Spinning disks?

    If you restart these computers, do you find that's when the service fails to start?  Does it fail 1/10 8/10, etc..?

    Do you see anything in the Windows Event Log to suggest the service timed out starting? 

    The ServicesPipeTimeout DWORD reg value under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" could help with that, I.e. increase the default from 30000 ms to 60000 ms for example

    If you can reproduce the issue, or know that restarting the computer will cause it. Could it be related to the size of the log file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFS.log" when it fails?

    I'd be interested to know, if you stop the SFS service (disable Tamper first), rename the file out of the way but for reference, then restart the computer, such that a new log is created at boot when it next starts, do you see the issue then?

Children
No Data