Sophos System Protection Service stopped when Cisco AnyConnect client connects to VPN

We probably need a little more information.

Does "Sophos Health Service" report the "Sophos System Protection Service", the process being: "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" as stopped?

When started: "service.Sophos System Protection Service" under

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

is 0, when stopped it is 1.

C:\ProgramData\Sophos\Health\Logs\Health.log would have the details over time. E.g. When the service transitions from running to stopped you would get, the grace period followed by the event which ends up in the UI and being reported to Central.

2022-05-24T20:21:35.843Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:21:50.883Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:05.927Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:20.962Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:36.020Z [ 4696: 5744] I Posting service stopped event: d96e353c-0d13-42f7-83a4-ad1cc88428e6 Sophos System Protection Service (threat service)
2022-05-24T20:22:36.275Z [ 4696: 5728] I Processing event id: 8832e309-9406-4207-9d77-00fc28fd4895
2022-05-24T20:22:36.279Z [ 4696: 5728] I Health state has changed to - Overall: 3, Service: 3, Threat: 1

You can find a trail of these events here: C:\ProgramData\Sophos\Health\Event Store\Trail\

C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log is the log of the service.  Does that show the service is erroring when it transitions?  Is it crashing?  Anything in the Windows Application Event log from the Windows Error Reporting source?

We probably need a little more information.

Does "Sophos Health Service" report the "Sophos System Protection Service", the process being: "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" as stopped?

When started: "service.Sophos System Protection Service" under

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

is 0, when stopped it is 1.

C:\ProgramData\Sophos\Health\Logs\Health.log would have the details over time. E.g. When the service transitions from running to stopped you would get, the grace period followed by the event which ends up in the UI and being reported to Central.

2022-05-24T20:21:35.843Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:21:50.883Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:05.927Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:20.962Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
2022-05-24T20:22:36.020Z [ 4696: 5744] I Posting service stopped event: d96e353c-0d13-42f7-83a4-ad1cc88428e6 Sophos System Protection Service (threat service)
2022-05-24T20:22:36.275Z [ 4696: 5728] I Processing event id: 8832e309-9406-4207-9d77-00fc28fd4895
2022-05-24T20:22:36.279Z [ 4696: 5728] I Health state has changed to - Overall: 3, Service: 3, Threat: 1

You can find a trail of these events here: C:\ProgramData\Sophos\Health\Event Store\Trail\

C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log is the log of the service.  Does that show the service is erroring when it transitions?  Is it crashing?  Anything in the Windows Application Event log from the Windows Error Reporting source?