This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos System Protection Service stopped when Cisco AnyConnect client connects to VPN

Hi,

our customer is complaining that since about three weeks the Sophos System Protection Service is reported as "stopped" by the Sophos Endpoint when Cisco AnyConnect Client has established a VPN connection to their customer.

The stopped service leads the endpoint to isolate itself which is interrupting the VPN...

Is this a known problem?

Regards
Andreas



This thread was automatically locked due to age.
Parents
  • We probably need a little more information.

    Does "Sophos Health Service" report the "Sophos System Protection Service", the process being: "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" as stopped?

    When started: "service.Sophos System Protection Service" under

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

    is 0, when stopped it is 1.

    C:\ProgramData\Sophos\Health\Logs\Health.log would have the details over time. E.g. When the service transitions from running to stopped you would get, the grace period followed by the event which ends up in the UI and being reported to Central.

    2022-05-24T20:21:35.843Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:21:50.883Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:05.927Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:20.962Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:36.020Z [ 4696: 5744] I Posting service stopped event: d96e353c-0d13-42f7-83a4-ad1cc88428e6 Sophos System Protection Service (threat service)
    2022-05-24T20:22:36.275Z [ 4696: 5728] I Processing event id: 8832e309-9406-4207-9d77-00fc28fd4895
    2022-05-24T20:22:36.279Z [ 4696: 5728] I Health state has changed to - Overall: 3, Service: 3, Threat: 1

    You can find a trail of these events here: C:\ProgramData\Sophos\Health\Event Store\Trail\

    C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log is the log of the service.  Does that show the service is erroring when it transitions?  Is it crashing?  Anything in the Windows Application Event log from the Windows Error Reporting source?

Reply
  • We probably need a little more information.

    Does "Sophos Health Service" report the "Sophos System Protection Service", the process being: "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" as stopped?

    When started: "service.Sophos System Protection Service" under

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

    is 0, when stopped it is 1.

    C:\ProgramData\Sophos\Health\Logs\Health.log would have the details over time. E.g. When the service transitions from running to stopped you would get, the grace period followed by the event which ends up in the UI and being reported to Central.

    2022-05-24T20:21:35.843Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:21:50.883Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:05.927Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:20.962Z [ 4696: 5744] I Ignored service check results: one or more service(s) not running for the first time
    2022-05-24T20:22:36.020Z [ 4696: 5744] I Posting service stopped event: d96e353c-0d13-42f7-83a4-ad1cc88428e6 Sophos System Protection Service (threat service)
    2022-05-24T20:22:36.275Z [ 4696: 5728] I Processing event id: 8832e309-9406-4207-9d77-00fc28fd4895
    2022-05-24T20:22:36.279Z [ 4696: 5728] I Health state has changed to - Overall: 3, Service: 3, Threat: 1

    You can find a trail of these events here: C:\ProgramData\Sophos\Health\Event Store\Trail\

    C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log is the log of the service.  Does that show the service is erroring when it transitions?  Is it crashing?  Anything in the Windows Application Event log from the Windows Error Reporting source?

Children
No Data