Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 11 subscribers
  • Views 553 views
  • Users 0 members are here
Options
Suggested

Intercept X Endpoint - Random auto-isolation on company computers

Nicolas Wayand

I am aware that self-isolation happens due to the "health" factors of the computer.

However, would there be somewhere, some log that I can see exactly the cause of this self-isolation?

Clients are automatically isolated for less than a minute often, so I needed to know the exact cause of the isolation. (Central/Client)



Edited TAGs
[edited by: Gladys at 7:24 AM (GMT -8) on 19 Dec 2022]
  • 0

    Thank you for reaching the community forum, 

    Was the Isolation happen on the same devices? How many days have you observed such behavior on your manage endpoint? are you getting any alerts on central prior to receiving the isolation alert? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • 0 in reply to GlennSen

    Hi!

    Most of the time isolation happens on the same device, but some others are self-isolating as well.

    In Sophos Central, only the event logs appear, when a file is considered malware and is deleted from the machine, but I still haven't found in the Logs and Reports the exact cause of the isolation of each computer, I also don't know if there is a log level like that .

    Happens since Endpoint implementation.

    Software Developer, FOSS Contributor & Linux Administrator

    Member at Free Software Foundation

  • 0

    Does the log file under: C:\ProgramData\Sophos\Health\Logs\ help?

  • 0 in reply to Sophos User930 
    Nothing very interesting, it just informs me that the health state has changed


    2022-12-05T20:25:21.556Z [ 4008: 4772] I Processing event id: ff677755-df12-4f90-a5d7-c82242fe0252
    2022-12-05T20:25:21.560Z [ 4008: 4772] I Health state has changed to - Overall: 3, Service: 3, Threat: 1

    Software Developer, FOSS Contributor & Linux Administrator

    Member at Free Software Foundation

  • 0 in reply to Nicolas Wayand

    The Sophos Network Threat Protection (NTP) service does the isolating. E.g. In C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log, when you stop a service for example you see:

    2022-12-09T18:49:51.180Z [14140:13696] A Recalculating isolation: Self isolated: True, Admin isolated: False
    2022-12-09T18:49:51.185Z [14140:13696] A Sophos Health is:RED

    In this case I stopped the Sophos File Scanner service, so in the Health.log:

    2022-12-09T18:46:51.246Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0
    2022-12-09T18:48:51.087Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:06.097Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:21.115Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:36.149Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:51.177Z [17152:12160] I Posting service stopped event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
    2022-12-09T18:49:51.434Z [17152: 5200] I Processing event id: a718dd7c-97a8-49bc-ae3e-bd3816363558
    2022-12-09T18:49:51.438Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0
    2022-12-09T18:49:51.445Z [17152: 5200] I Processing event id: cfe239e1-85c1-4350-86ad-3f28f86c77b7
    2022-12-09T18:49:51.447Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0

    The service state, at each sample goes under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\[instance]\

    service = 3 and health = 3

    If I start the service again, when Sophos Health re-checks, it reverts the state back to OK:

    2022-12-09T18:54:21.512Z [17152:12160] I Posting service started event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
    2022-12-09T18:54:21.770Z [17152: 5200] I Processing event id: bd281f67-585a-40cd-aef8-975863bb93b1
    2022-12-09T18:54:21.777Z [17152: 5200] I Health state has changed to - Overall: 2, Service: 1, Threat: 0
    2022-12-09T18:54:21.787Z [17152: 5200] I Processing event id: b67a6fcc-e143-4a9e-b10b-82a4374d96cd
    2022-12-09T18:54:21.789Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0

    SophosNTPService.log:

    2022-12-09T18:54:21.520Z [14140:13696] A Recalculating isolation: Self isolated: False, Admin isolated: False
    2022-12-09T18:54:21.524Z [14140:13696] A Sophos Health is:GREEN

    And the computer is taken out of isolation.

    From the Service state 3 in your log, one or more services are stopped. It also checks processes so not just Windows services. E.g. depending on the setup, the following processes which are child processes of the services mentioned are also checked for.

    SophosFIleScanner.exe (child processes of Sophos File Scanner service)
    SophosNetFiler.exe (child process of Sophos Network Threat protection service)

    I would check under the last key under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\

    at the services set to value 3, when they should be 0 when OK. Which are they?

Unfiltered HTML