This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PC cannot connect to any wi-fi - Sophos Endpoint is not allowing it.

Hi everyone,

Two PCs in the organization I manage can no longer connect to any wi-fi(office, home or hotspot).

The users reported that the issue started on Thursday 16/06/2022. They were suddenly disconnected from the wi-fi they were connected to, and from tat time could no longer reconnect, or connect to any other wi-fi.

I have reset the wi-fi adapter, and attempted to update(using a LAN cable for internet connection) – but Microsoft reported that the driver is up to date.

However, after i uninstalled Sophos Intercept X Endpoint that was running on both PCs, they could connect to any wi-fi normally as before, but upon re-installation of the Endpoints, the issue came up again.

I formatted one the PCs and reloaded the Operating System. It could connect to wi-fi, but once I installed the Sophos Endpoint, it could no longer connect, - “Can’t connect to this network” is the message displayed after entering the wi-fi password.

I connected a USB wi-fi adapter(manufactured by Realtek) on one of the PCs, nd the PC could connect to wi-fi normally with it.

The PC model is HP 250 G2

OS is Windows 10 Pro

The wi-fi adapter model is QCWB335(written on the adapter card)

The wi-fi manufacturer is Qualcomm Atheros

*But the driver installed for it by Microsoft which had been working is Qualcomm-Atheros-QCA9565, as seen in Device Manager

 

I am suspecting that that there must have been an update from Sophos that is causing this abnormal behaviour, because all other systems in the organization are working fine right now.

I need help to fix this as soon as possible.

Thanks



This thread was automatically locked due to age.
  • Hello All,

    In Addition to what  said, an internal case has also been raised to further investigate the said issue. It's being tracked under issue ID WINEP-41842.

    We'll keep this thread updated for any developments. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Can you test just disabling IPS.  I suspect you need to either restart the computer or restart the Sophos Network Threat Protection service after changing the policy to disable IPS.  From a working state, if the policy comes down to enable IPS it broke the wireless connection.  If using a different interface I get a policy to disable IPS, then it doesn't work until the service is restart or the computer rebooted.  

    Given this information, you should be able to re-enable network threat protection features and just disable IPS as long as you reboot or restart the service.

    Maybe you can confirm?  Disabling just IPS if that's all that is needed would be more secure.

  • Dell branded notebook cannot connect to any wifi - Sophos Endpoint is not allowing it.
    
    Unable to connect to this network!
    I have the same problem for 3 days without connecting?
  • I assume it has a Qualcomm Atheros NIC.  If you disable IPS in policy (threat protection). 

    This will change at the endpoint the intrusion_prevention_system_enabled DWORD from 1 to 0 (off) under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter\[revision]

    Where: The revision "key" is pointed to by the latest value under the parent key, namely:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter

    Assuming you can get it on the network to get the policy to get that policy from Central.  To do that you might have to:

    - Connect it to the internet with a different NIC and wait for the policy.  Then reboot.

    or:

    - Disable Tamper Protection locally if enabled for which you will need the password from Sophos Central. 
    Stop the Sophos Network Threat Protection service. This should allow you to connect to the wireless network to get the policy that has been set in Central to disable IPS. Again check the above registry key to confirm.  Then reboot or start the Sophos Network Threat Protection service.  At this point it should work with just IPS disabled.

    or:

    -  Disable Tamper Protection locally if enabled for which you will need the password from Sophos Central.
    Set the DWORD intrusion_prevention_system_enabled to 0 from 1 as mentioned above and then restart the Sophos Network Threat Protection service.  This should allow you to connect.  The danger being, that if the policy in Central isn't changed to disable IPS, the policy could get re-applied.

    Can you confirm this works? 

    If you don't have access to Sophos Central you might need to ask the person who does.

  • Hi, i have the same problem.  

    Does anyone have a temporary solution?
  • To consolidate the above comments, I believe the best course of action here is as follows. The information is divided into steps for end users to carry out at the computer and steps for Sophos Central admins. 


    End users
    If you are no longer able to connect to the wireless network via your Atheros network adapter, here are some options:

    Note: To check if you have an Atheros wireless network adapter, from Device Manager, expand the list of "Network adapters".



    Option 1
    Connect using a different network interfaces, e.g. Use an Wi-Fi dongle or use a wired connection temporarily if possible. You may need to disable the Atheros adapter first when using a Wi-Fi dongle option so the Wi-Fi dongle is used. 
    If your admin is aware of this issue, you may get a policy to workaround the issue shortly afterwards, see below for evidence. Either way, you may want to let your Sophos Central admin or IT department know about this issue you are having.

    Option 2
    If Tamper protection isn't enabled on the computer AND you're a local admin:

    Note: To check if Tamper Protection is enabled or disabled on your device, you can launch the Sophos UI (blue shield in the notification tray). 


    If tamper protection is enabled, you will see a sign-in button as shown below:

    If tamper protection is disabled, you should see a "Settings" "tab" to the right of "Detections" tab and the "Admin sign-in" button does not appear. You can confirm on the "Settings" page with the "Tamper Protection" slider being on or off.

    See the options below to proceed based on this information:

    Tamper protection is enabled

    You will need to contact your Sophos Central administrator or IT department and inform them of this post and the steps they need to take.  You can mention that IPS feature of Sophos is preventing your Atheros network card from connecting to the Wi-Fi.  Option 1 above is the only real option without involving a Sophos administrator.


    Tamper protection is disabled and you are a local administrator

    Stop the "Sophos Network Threat Protection" service in the Services MMC snap-in, (services.msc). If the option is greyed out, check Tamper Protection is disabled and that you are running services.msc as admin.

    Tip: If Tamper Protection is off, you can also stop the service from Windows Task Manager ("Services" tab) if that is easier.

    1. Launch Regedit.exe
    Important: Usual disclaimer apples here, if you don't feel confident editing the registry, ask someone else as making mistakes in the registry can prevent the computer booting.

    2. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter
    Make a note of the "latest" value number.

    3. Expand the NetworkPerimeter key, you should then see a sub-key with the same number as in latest.

    For example, if latest had the value 20220624143424557980, you are looking in the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter\20220624143424557980

    4. Note the intrusion_prevention_system_enabled value under this key.
    If this is a 1, then IPS is enabled, if it's a 0, it is off and you may have a different issue.  If restarting the "Sophos Network Threat Protection" service when this value is 0 doesn't help, then you possibly have a different issue to that covered here.

    5. Set the value to 0 if it was 1.

    6. Optionally: In the Sophos interface, on the "Settings" page, check, "Override Sophos Central Policy for up to 4 hours to troubleshoot". This will prevent a policy with the IPS feature still enabled being re-applied for the 4 hours. That said, if you are in conversation with your Sophos Central administrator and they are aware of the issue, do not use this option as it may prevent the policy with IPS disabled from being processed during this time.

    7. Start the "Sophos Network Threat Protection" service.

    8. Confirm you can connect to the Wi-Fi as normal.  



    In all cases, you may want to inform your Sophos admin about this post, notify them they can turn off IPS in policy to enable any devices which have Atheros NICs.


    Sophos Central Admins
    You may have one or more users which are unable to connect to their wireless networks if they are using Atheros network adapters.

    This problem appears to be due to the IPS feature in Sophos Endpoint release 2022.1.1.3 with Atheros adapters.

    In Sophos Central this version will show in the Device details as follows:

    At the endpoint:

    Below are a few options to help in addition to that provided in the "End users" section above.

    Option 1
    Identify any computers using Atheros network adapters that could be affected. For computers that are able to connect, e.g. they are currently in the office but could have issues when they go home, you maybe able to use Live Query if this is a feature you have.  E.g. create a new query, the core of the query being as follows:

    select mac, description, manufacturer, connection_id, physical_adapter, enabled, connection_status, service 
    from interface_details
    where physical_adapter=1 and 
    (manufacturer like '%theros%' or description like '%atheros%')


    From the exported csv file, you have a list of potentially impacted computers.

    Note: As Live Query can only operate on computers that are online, and there isn't a data lake query with NIC details: You may need to use another source such as Peripheral Control information detailed below.

    Option 2
    If you have Peripheral Control enabled, you might have information in the Central Events report you can export to a CSV.
    https://cloud.sophos.com/manage/reports/protection/events/create 

    For the computers affected, until an official update from Sophos, the best option I believe is to disable just the IPS feature in the Threat Protection policy:

    If any end users contact you to get them back online, if Tamper Protection is enabled on their device, your options are:

    Option 1
    Ask them to connect via a different network adapter, e.g. a wired adapter to get the policy to disable IPS to get the policy or

    Option 2
    Provide them with the tamper protection password for their device which you can find in Sophos Central on the device page.  They can then follow the steps in the End Users section.

    Note: They will need to be local admin. You will have to use your best judgement if they are OK to have the password temporarily. it is recommended you generate a new password in Sophos Central for the device.

    As mentioned above, if you are on the call with the user, then they will not need to use the "Override Sophos Central Policy for up to 4 hours to troubleshoot", you should be able to confirm they get the policy once connected.  This should only take around 1 minute.  If the computer is shown as "Central management has been suspended" for the device they will not receive the policy until management is resumed, either by the 4 hours timing our or the user toggling the policy.

    You can confirm in the highlighted registry location detailed in the End User section above. I.e. intrusion_prevention_system_enabled is set to 0. 


    Once they receive the policy, they will need to restart the "Sophos Network Threat Protection" service or reboot.

    Hopefully this is helpful information.

  • Hi Glen,

    We are also having this issue for a number of clients.
    I have a Sophos case but they are blaming the resource usage of said machines affected.
    Any chance you can update me on the internal case or escalate our case ID further?

    I have replied to my case id with this forum post.

    Thanks

  • Hi All,

    Sharing this public documentation related to the issue being described  on this thread as well as the workaround for the said issue

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids