I am aware that self-isolation happens due to the "health" factors of the computer.
However, would there be somewhere, some log that I can see exactly the cause of this self-isolation?
Clients are automatically isolated for less than a minute often, so I needed to know the exact cause of the isolation. (Central/Client)
Does the log file under: C:\ProgramData\Sophos\Health\Logs\ help?
Nothing very interesting, it just informs me that the health state has changed
2022-12-05T20:25:21.556Z [ 4008: 4772] I Processing event id: ff677755-df12-4f90-a5d7-c82242fe02522022-12-05T20:25:21.560Z [ 4008: 4772] I Health state has changed to - Overall: 3, Service: 3, Threat: 1
Software Developer, FOSS Contributor & Linux Administrator
Member at Free Software Foundation
The Sophos Network Threat Protection (NTP) service does the isolating. E.g. In C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log, when you stop a service for example you see:
2022-12-09T18:49:51.180Z [14140:13696] A Recalculating isolation: Self isolated: True, Admin isolated: False2022-12-09T18:49:51.185Z [14140:13696] A Sophos Health is:RED
In this case I stopped the Sophos File Scanner service, so in the Health.log:
2022-12-09T18:46:51.246Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 02022-12-09T18:48:51.087Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time2022-12-09T18:49:06.097Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time2022-12-09T18:49:21.115Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time2022-12-09T18:49:36.149Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time2022-12-09T18:49:51.177Z [17152:12160] I Posting service stopped event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)2022-12-09T18:49:51.434Z [17152: 5200] I Processing event id: a718dd7c-97a8-49bc-ae3e-bd38163635582022-12-09T18:49:51.438Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 02022-12-09T18:49:51.445Z [17152: 5200] I Processing event id: cfe239e1-85c1-4350-86ad-3f28f86c77b72022-12-09T18:49:51.447Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0
The service state, at each sample goes under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\[instance]\
service = 3 and health = 3
If I start the service again, when Sophos Health re-checks, it reverts the state back to OK:
2022-12-09T18:54:21.512Z [17152:12160] I Posting service started event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)2022-12-09T18:54:21.770Z [17152: 5200] I Processing event id: bd281f67-585a-40cd-aef8-975863bb93b12022-12-09T18:54:21.777Z [17152: 5200] I Health state has changed to - Overall: 2, Service: 1, Threat: 02022-12-09T18:54:21.787Z [17152: 5200] I Processing event id: b67a6fcc-e143-4a9e-b10b-82a4374d96cd2022-12-09T18:54:21.789Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0
SophosNTPService.log:
2022-12-09T18:54:21.520Z [14140:13696] A Recalculating isolation: Self isolated: False, Admin isolated: False2022-12-09T18:54:21.524Z [14140:13696] A Sophos Health is:GREEN
And the computer is taken out of isolation.
From the Service state 3 in your log, one or more services are stopped. It also checks processes so not just Windows services. E.g. depending on the setup, the following processes which are child processes of the services mentioned are also checked for.
SophosFIleScanner.exe (child processes of Sophos File Scanner service)SophosNetFiler.exe (child process of Sophos Network Threat protection service)I would check under the last key under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\
at the services set to value 3, when they should be 0 when OK. Which are they?