PC cannot connect to any wi-fi - Sophos Endpoint is not allowing it.

Hi everyone,

Two PCs in the organization I manage can no longer connect to any wi-fi(office, home or hotspot).

The users reported that the issue started on Thursday 16/06/2022. They were suddenly disconnected from the wi-fi they were connected to, and from tat time could no longer reconnect, or connect to any other wi-fi.

I have reset the wi-fi adapter, and attempted to update(using a LAN cable for internet connection) – but Microsoft reported that the driver is up to date.

However, after i uninstalled Sophos Intercept X Endpoint that was running on both PCs, they could connect to any wi-fi normally as before, but upon re-installation of the Endpoints, the issue came up again.

I formatted one the PCs and reloaded the Operating System. It could connect to wi-fi, but once I installed the Sophos Endpoint, it could no longer connect, - “Can’t connect to this network” is the message displayed after entering the wi-fi password.

I connected a USB wi-fi adapter(manufactured by Realtek) on one of the PCs, nd the PC could connect to wi-fi normally with it.

The PC model is HP 250 G2

OS is Windows 10 Pro

The wi-fi adapter model is QCWB335(written on the adapter card)

The wi-fi manufacturer is Qualcomm Atheros

*But the driver installed for it by Microsoft which had been working is Qualcomm-Atheros-QCA9565, as seen in Device Manager

 

I am suspecting that that there must have been an update from Sophos that is causing this abnormal behaviour, because all other systems in the organization are working fine right now.

I need help to fix this as soon as possible.

Thanks



Added tags
[edited by: Gladys at 6:36 AM (GMT -7) on 25 Jul 2022]
Parents
  • To consolidate the above comments, I believe the best course of action here is as follows. The information is divided into steps for end users to carry out at the computer and steps for Sophos Central admins. 


    End users
    If you are no longer able to connect to the wireless network via your Atheros network adapter, here are some options:

    Note: To check if you have an Atheros wireless network adapter, from Device Manager, expand the list of "Network adapters".



    Option 1
    Connect using a different network interfaces, e.g. Use an Wi-Fi dongle or use a wired connection temporarily if possible. You may need to disable the Atheros adapter first when using a Wi-Fi dongle option so the Wi-Fi dongle is used. 
    If your admin is aware of this issue, you may get a policy to workaround the issue shortly afterwards, see below for evidence. Either way, you may want to let your Sophos Central admin or IT department know about this issue you are having.

    Option 2
    If Tamper protection isn't enabled on the computer AND you're a local admin:

    Note: To check if Tamper Protection is enabled or disabled on your device, you can launch the Sophos UI (blue shield in the notification tray). 


    If tamper protection is enabled, you will see a sign-in button as shown below:

    If tamper protection is disabled, you should see a "Settings" "tab" to the right of "Detections" tab and the "Admin sign-in" button does not appear. You can confirm on the "Settings" page with the "Tamper Protection" slider being on or off.

    See the options below to proceed based on this information:

    Tamper protection is enabled

    You will need to contact your Sophos Central administrator or IT department and inform them of this post and the steps they need to take.  You can mention that IPS feature of Sophos is preventing your Atheros network card from connecting to the Wi-Fi.  Option 1 above is the only real option without involving a Sophos administrator.


    Tamper protection is disabled and you are a local administrator

    Stop the "Sophos Network Threat Protection" service in the Services MMC snap-in, (services.msc). If the option is greyed out, check Tamper Protection is disabled and that you are running services.msc as admin.

    Tip: If Tamper Protection is off, you can also stop the service from Windows Task Manager ("Services" tab) if that is easier.

    1. Launch Regedit.exe
    Important: Usual disclaimer apples here, if you don't feel confident editing the registry, ask someone else as making mistakes in the registry can prevent the computer booting.

    2. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter
    Make a note of the "latest" value number.

    3. Expand the NetworkPerimeter key, you should then see a sub-key with the same number as in latest.

    For example, if latest had the value 20220624143424557980, you are looking in the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter\20220624143424557980

    4. Note the intrusion_prevention_system_enabled value under this key.
    If this is a 1, then IPS is enabled, if it's a 0, it is off and you may have a different issue.  If restarting the "Sophos Network Threat Protection" service when this value is 0 doesn't help, then you possibly have a different issue to that covered here.

    5. Set the value to 0 if it was 1.

    6. Optionally: In the Sophos interface, on the "Settings" page, check, "Override Sophos Central Policy for up to 4 hours to troubleshoot". This will prevent a policy with the IPS feature still enabled being re-applied for the 4 hours. That said, if you are in conversation with your Sophos Central administrator and they are aware of the issue, do not use this option as it may prevent the policy with IPS disabled from being processed during this time.

    7. Start the "Sophos Network Threat Protection" service.

    8. Confirm you can connect to the Wi-Fi as normal.  



    In all cases, you may want to inform your Sophos admin about this post, notify them they can turn off IPS in policy to enable any devices which have Atheros NICs.


    Sophos Central Admins
    You may have one or more users which are unable to connect to their wireless networks if they are using Atheros network adapters.

    This problem appears to be due to the IPS feature in Sophos Endpoint release 2022.1.1.3 with Atheros adapters.

    In Sophos Central this version will show in the Device details as follows:

    At the endpoint:

    Below are a few options to help in addition to that provided in the "End users" section above.

    Option 1
    Identify any computers using Atheros network adapters that could be affected. For computers that are able to connect, e.g. they are currently in the office but could have issues when they go home, you maybe able to use Live Query if this is a feature you have.  E.g. create a new query, the core of the query being as follows:

    select mac, description, manufacturer, connection_id, physical_adapter, enabled, connection_status, service 
    from interface_details
    where physical_adapter=1 and 
    (manufacturer like '%theros%' or description like '%atheros%')


    From the exported csv file, you have a list of potentially impacted computers.

    Note: As Live Query can only operate on computers that are online, and there isn't a data lake query with NIC details: You may need to use another source such as Peripheral Control information detailed below.

    Option 2
    If you have Peripheral Control enabled, you might have information in the Central Events report you can export to a CSV.
    https://cloud.sophos.com/manage/reports/protection/events/create 

    For the computers affected, until an official update from Sophos, the best option I believe is to disable just the IPS feature in the Threat Protection policy:

    If any end users contact you to get them back online, if Tamper Protection is enabled on their device, your options are:

    Option 1
    Ask them to connect via a different network adapter, e.g. a wired adapter to get the policy to disable IPS to get the policy or

    Option 2
    Provide them with the tamper protection password for their device which you can find in Sophos Central on the device page.  They can then follow the steps in the End Users section.

    Note: They will need to be local admin. You will have to use your best judgement if they are OK to have the password temporarily. it is recommended you generate a new password in Sophos Central for the device.

    As mentioned above, if you are on the call with the user, then they will not need to use the "Override Sophos Central Policy for up to 4 hours to troubleshoot", you should be able to confirm they get the policy once connected.  This should only take around 1 minute.  If the computer is shown as "Central management has been suspended" for the device they will not receive the policy until management is resumed, either by the 4 hours timing our or the user toggling the policy.

    You can confirm in the highlighted registry location detailed in the End User section above. I.e. intrusion_prevention_system_enabled is set to 0. 


    Once they receive the policy, they will need to restart the "Sophos Network Threat Protection" service or reboot.

    Hopefully this is helpful information.

Reply
  • To consolidate the above comments, I believe the best course of action here is as follows. The information is divided into steps for end users to carry out at the computer and steps for Sophos Central admins. 


    End users
    If you are no longer able to connect to the wireless network via your Atheros network adapter, here are some options:

    Note: To check if you have an Atheros wireless network adapter, from Device Manager, expand the list of "Network adapters".



    Option 1
    Connect using a different network interfaces, e.g. Use an Wi-Fi dongle or use a wired connection temporarily if possible. You may need to disable the Atheros adapter first when using a Wi-Fi dongle option so the Wi-Fi dongle is used. 
    If your admin is aware of this issue, you may get a policy to workaround the issue shortly afterwards, see below for evidence. Either way, you may want to let your Sophos Central admin or IT department know about this issue you are having.

    Option 2
    If Tamper protection isn't enabled on the computer AND you're a local admin:

    Note: To check if Tamper Protection is enabled or disabled on your device, you can launch the Sophos UI (blue shield in the notification tray). 


    If tamper protection is enabled, you will see a sign-in button as shown below:

    If tamper protection is disabled, you should see a "Settings" "tab" to the right of "Detections" tab and the "Admin sign-in" button does not appear. You can confirm on the "Settings" page with the "Tamper Protection" slider being on or off.

    See the options below to proceed based on this information:

    Tamper protection is enabled

    You will need to contact your Sophos Central administrator or IT department and inform them of this post and the steps they need to take.  You can mention that IPS feature of Sophos is preventing your Atheros network card from connecting to the Wi-Fi.  Option 1 above is the only real option without involving a Sophos administrator.


    Tamper protection is disabled and you are a local administrator

    Stop the "Sophos Network Threat Protection" service in the Services MMC snap-in, (services.msc). If the option is greyed out, check Tamper Protection is disabled and that you are running services.msc as admin.

    Tip: If Tamper Protection is off, you can also stop the service from Windows Task Manager ("Services" tab) if that is easier.

    1. Launch Regedit.exe
    Important: Usual disclaimer apples here, if you don't feel confident editing the registry, ask someone else as making mistakes in the registry can prevent the computer booting.

    2. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter
    Make a note of the "latest" value number.

    3. Expand the NetworkPerimeter key, you should then see a sub-key with the same number as in latest.

    For example, if latest had the value 20220624143424557980, you are looking in the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter\20220624143424557980

    4. Note the intrusion_prevention_system_enabled value under this key.
    If this is a 1, then IPS is enabled, if it's a 0, it is off and you may have a different issue.  If restarting the "Sophos Network Threat Protection" service when this value is 0 doesn't help, then you possibly have a different issue to that covered here.

    5. Set the value to 0 if it was 1.

    6. Optionally: In the Sophos interface, on the "Settings" page, check, "Override Sophos Central Policy for up to 4 hours to troubleshoot". This will prevent a policy with the IPS feature still enabled being re-applied for the 4 hours. That said, if you are in conversation with your Sophos Central administrator and they are aware of the issue, do not use this option as it may prevent the policy with IPS disabled from being processed during this time.

    7. Start the "Sophos Network Threat Protection" service.

    8. Confirm you can connect to the Wi-Fi as normal.  



    In all cases, you may want to inform your Sophos admin about this post, notify them they can turn off IPS in policy to enable any devices which have Atheros NICs.


    Sophos Central Admins
    You may have one or more users which are unable to connect to their wireless networks if they are using Atheros network adapters.

    This problem appears to be due to the IPS feature in Sophos Endpoint release 2022.1.1.3 with Atheros adapters.

    In Sophos Central this version will show in the Device details as follows:

    At the endpoint:

    Below are a few options to help in addition to that provided in the "End users" section above.

    Option 1
    Identify any computers using Atheros network adapters that could be affected. For computers that are able to connect, e.g. they are currently in the office but could have issues when they go home, you maybe able to use Live Query if this is a feature you have.  E.g. create a new query, the core of the query being as follows:

    select mac, description, manufacturer, connection_id, physical_adapter, enabled, connection_status, service 
    from interface_details
    where physical_adapter=1 and 
    (manufacturer like '%theros%' or description like '%atheros%')


    From the exported csv file, you have a list of potentially impacted computers.

    Note: As Live Query can only operate on computers that are online, and there isn't a data lake query with NIC details: You may need to use another source such as Peripheral Control information detailed below.

    Option 2
    If you have Peripheral Control enabled, you might have information in the Central Events report you can export to a CSV.
    https://cloud.sophos.com/manage/reports/protection/events/create 

    For the computers affected, until an official update from Sophos, the best option I believe is to disable just the IPS feature in the Threat Protection policy:

    If any end users contact you to get them back online, if Tamper Protection is enabled on their device, your options are:

    Option 1
    Ask them to connect via a different network adapter, e.g. a wired adapter to get the policy to disable IPS to get the policy or

    Option 2
    Provide them with the tamper protection password for their device which you can find in Sophos Central on the device page.  They can then follow the steps in the End Users section.

    Note: They will need to be local admin. You will have to use your best judgement if they are OK to have the password temporarily. it is recommended you generate a new password in Sophos Central for the device.

    As mentioned above, if you are on the call with the user, then they will not need to use the "Override Sophos Central Policy for up to 4 hours to troubleshoot", you should be able to confirm they get the policy once connected.  This should only take around 1 minute.  If the computer is shown as "Central management has been suspended" for the device they will not receive the policy until management is resumed, either by the 4 hours timing our or the user toggling the policy.

    You can confirm in the highlighted registry location detailed in the End User section above. I.e. intrusion_prevention_system_enabled is set to 0. 


    Once they receive the policy, they will need to restart the "Sophos Network Threat Protection" service or reboot.

    Hopefully this is helpful information.

Children
No Data