Endpoints not showing "Security Heartbeat Firewall" under summary

Have been working with support on this issue, and they cannot seem to find the issue.

We have seemingly random endpoints that do not have heartbeats with our firewall. This is causing odd traffic blocks on the affected endpoints due to the Network Threat Protection service. 

For example, all endpoints that do not show a "Security Heartbeat Firewall" under summary in Sophos Central cannot download any files from Adobe. 

The affected endpoints do not show up as "missing" in the firewall. The affected endpoints are not consuming licenses, either. For example, the firewall lists 265 endpoints with heartbeats, our license shows 270 endpoint licenses used, while our Sophos Central has over 400 devices.

I have been unable to find any differences in an endpoint with a heartbeat and one without. They have the same policies, etc. The only thing I know for sure is to check an individual device and look for "Security Heartbeat Firewall", if that's missing then I know it's affected.

Thank you for any recommendations. 

Edit: I should add that these are Windows endpoints experiencing problems, and we are using Intercept X Advanced with XDR.

Edit 2: I tried removing endpoint from a PC, leaving the domain, and deleting it from AD/Sophos central. It still did not resolve my issue. I then reloaded the entire PC from scratch, and now I am getting a heartbeat. What can cause this? I don't want to reload every PC (around 100) with issues!



Edited TAGs
[edited by: Qoosh at 10:58 PM (GMT -8) on 12 Dec 2022]
Parents
  • Below is the solution from Sophos Support that works;

    1. Download the files: https://download.sophos.com/tools/WINEP-36891.zip
    2. Turn off Tamper Protection
    3. Extract the files from the .zip
    4. Open an Administrative mode command prompt
    5. Run: sc stop sntpservice
    6. Run: sc stop sntp
    7. rename c:\windows\system32\drivers\sntp.sys_old
    8. Copy sntp.sys (extracted) to c:\windows\system32\drivers
    9. Run: move "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNetFilter.exe" "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNetFilter.exe.original"
    10. Copy SophosNetFilter.exe (extracted) to C:\program files\sophos\sophos network threat protection\
    11. Run: move "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe.original"
    12. Copy SophosNtpService.exe (extracted) to C:\program files\sophos\sophos network threat protection
    13. Run: sc start sntpservice
    14. Open Regedit (Registry Editor)
    15. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentSet001\Services\Sophos Endpoint Defense\EndpointFlags
    16. Add a new DWORD called “modernweb.offloading.enabled” and set the value to 1.

  • This update will also be included in the 2022.3 release of Sophos Core Agent. The release is expected to begin rollout in the next couple of weeks, though this is subject to change without notice.

    If you find that a significant number of devices are affected on your environment, I'd suggest inquiring if your site can be moved to one of the earlier release groups.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
No Data