All of my virtual machines running Windows Server 2012 R2 have a security health issue related to the Sophos System Protection Service not running. The windows administrative tool Services reports the status of the service as Starting and not Running. The service can't be stopped or started since the options are greyed out. A restart of the server didn't resolve the issue.
Thanks for reaching out to the Sophos Community Forum.
If you're unable to interact with the services, this may be due to Tamper Protection being enabled.
Try sharing some of the recent log lines from the following log file. - C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log
You may also want to check for any errors in windows event viewer as well.
Hi Qoosh, I have a similar is, but it seems to be affecting only my windows 10 and 11 endpoints. Investigation from windows 11:Edition Windows 11 EnterpriseVersion 22H2Installed on 9/27/2022OS build 22621.521Experience Windows Feature Experience Pack 1000.22634.1000.0Endpoint Advanced 10.8.11.4
SophosIntercept X 2.0.25
When checking the logs I get the error below: C:\ProgramData\Sophos\AutoUpdate\Logs2022-10-13T13:16:04.896Z [11180: 1240] I Checking service "Sophos System Protection Service" is running...2022-10-13T13:16:04.896Z [11180: 1240] W >> NO: Service "Sophos System Protection Service" is not running.2022-10-13T13:17:51.788Z [11180: 1240] I >> FIXING: Starting service "Sophos System Protection Service"...2022-10-13T13:17:51.789Z [11180: 1240] I >> FIXING: Service "Sophos System Protection Service" is starting. Waiting for it to start.2022-10-13T13:30:12.933Z [11180: 1240] W Service Sophos System Protection Service timed out (exceeded 240000ms, while waiting to change status from 2.Actions taken: 1- Updated Sophos endpoint XDR
2- Rebooted, issues still persist.
3- Installed Sophos XDR in an attempt to repair any issues.
4- reboot. The issue still persists.Any suggestions on a fix are welcome.
Thanks for adding to the discussion.
In a neighboring thread a community member was able to correct this issue by disabling the "Data Loss Prevention" policy from Sophos Central on all devices, followed by a reboot.
Please let me know if this works for you.Update: A KBA has been published related to this issue. Our development team has identified the root cause and is working on a fix. Please use the temporary workaround in the meantime.- Advisory: Sophos System Protection Service may hang in a 'Starting' state after the system was rebooted
Disabling the "Data Loss Prevention" policy from Sophos Central on affected devices followed by a reboot fixed it for me. The service is now running.
Thanks for confirming!
Hi Craig, Thank you for the response, but does one have to permanently disable the DLP policy?
I suggest doing this only once. If the issue returns after you re-enable the DLP policy, please let me know so I may inquire into this with our team.
Could you please explain the way you proceed to disable DLP policy?
I tried to create a new DLP policy for my servers getting the issue and then bypassed it. However the base policy is also applied by default.
I'm not able to delete the DLP base policy.
Many thanks in advance for your help,
I suggest toggling the slider "Use rules for data transfers".
Hi Kushal Lakhan,
Thanks for your reply.
I’m going to check this slider thing tomorrow at work.
I also noticed that only (but all) Windows 2012R2 servers are impacted by this issue.
Sophos System Protection Service remains on a starting status for all of them.
Do you think Sophos will provide any patch or is there any Windows KB (even an old one) to avoid or correct this problem? I hope toggling the slider will solve the issue but maybe this also could come from a Windows KB (applied or missing).
We already control firewall permissions for Sophos flows, no connection reset occurs so i’m at my wits end.
Many thanks again for your support,