This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X Endpoint - Random auto-isolation on company computers

I am aware that self-isolation happens due to the "health" factors of the computer.

However, would there be somewhere, some log that I can see exactly the cause of this self-isolation?

Clients are automatically isolated for less than a minute often, so I needed to know the exact cause of the isolation. (Central/Client)

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 1 year ago in reply to Nicolas Wayand +2

The Sophos Network Threat Protection (NTP) service does the isolating. E.g. In C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log , when you stop a service for example you see…

Parents

0 Sophos User930 over 1 year ago

Does the log file under: C:\ProgramData\Sophos\Health\Logs\ help?
Cancel
Vote Up 0 Vote Down

Cancel
0 Nicolas Wayand over 1 year ago in reply to Sophos User930
Nothing very interesting, it just informs me that the health state has changed

2022-12-05T20:25:21.556Z [ 4008: 4772] I Processing event id: ff677755-df12-4f90-a5d7-c82242fe0252
2022-12-05T20:25:21.560Z [ 4008: 4772] I Health state has changed to - Overall: 3, Service: 3, Threat: 1
Software Developer, FOSS Contributor & Linux Administrator

Member at Free Software Foundation
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Nicolas Wayand over 1 year ago in reply to Sophos User930
Nothing very interesting, it just informs me that the health state has changed

2022-12-05T20:25:21.556Z [ 4008: 4772] I Processing event id: ff677755-df12-4f90-a5d7-c82242fe0252
2022-12-05T20:25:21.560Z [ 4008: 4772] I Health state has changed to - Overall: 3, Service: 3, Threat: 1
Software Developer, FOSS Contributor & Linux Administrator

Member at Free Software Foundation
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sophos User930 over 1 year ago in reply to Nicolas Wayand

The Sophos Network Threat Protection (NTP) service does the isolating. E.g. In C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log, when you stop a service for example you see:

2022-12-09T18:49:51.180Z [14140:13696] A Recalculating isolation: Self isolated: True, Admin isolated: False
2022-12-09T18:49:51.185Z [14140:13696] A Sophos Health is:RED

In this case I stopped the Sophos File Scanner service, so in the Health.log:

2022-12-09T18:46:51.246Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0
2022-12-09T18:48:51.087Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
2022-12-09T18:49:06.097Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
2022-12-09T18:49:21.115Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
2022-12-09T18:49:36.149Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
2022-12-09T18:49:51.177Z [17152:12160] I Posting service stopped event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
2022-12-09T18:49:51.434Z [17152: 5200] I Processing event id: a718dd7c-97a8-49bc-ae3e-bd3816363558
2022-12-09T18:49:51.438Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0
2022-12-09T18:49:51.445Z [17152: 5200] I Processing event id: cfe239e1-85c1-4350-86ad-3f28f86c77b7
2022-12-09T18:49:51.447Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0

The service state, at each sample goes under:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\[instance]\

service = 3 and health = 3

If I start the service again, when Sophos Health re-checks, it reverts the state back to OK:

2022-12-09T18:54:21.512Z [17152:12160] I Posting service started event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
2022-12-09T18:54:21.770Z [17152: 5200] I Processing event id: bd281f67-585a-40cd-aef8-975863bb93b1
2022-12-09T18:54:21.777Z [17152: 5200] I Health state has changed to - Overall: 2, Service: 1, Threat: 0
2022-12-09T18:54:21.787Z [17152: 5200] I Processing event id: b67a6fcc-e143-4a9e-b10b-82a4374d96cd
2022-12-09T18:54:21.789Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0

SophosNTPService.log:

2022-12-09T18:54:21.520Z [14140:13696] A Recalculating isolation: Self isolated: False, Admin isolated: False
2022-12-09T18:54:21.524Z [14140:13696] A Sophos Health is:GREEN

And the computer is taken out of isolation.

From the Service state 3 in your log, one or more services are stopped. It also checks processes so not just Windows services. E.g. depending on the setup, the following processes which are child processes of the services mentioned are also checked for.

SophosFIleScanner.exe (child processes of Sophos File Scanner service)
SophosNetFiler.exe (child process of Sophos Network Threat protection service)

I would check under the last key under:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\

at the services set to value 3, when they should be 0 when OK. Which are they?
Cancel
Vote Up +2 Vote Down

Cancel