This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X Endpoint - Random auto-isolation on company computers

I am aware that self-isolation happens due to the "health" factors of the computer.

However, would there be somewhere, some log that I can see exactly the cause of this self-isolation?

Clients are automatically isolated for less than a minute often, so I needed to know the exact cause of the isolation. (Central/Client)



This thread was automatically locked due to age.
Parents Reply Children
  • The Sophos Network Threat Protection (NTP) service does the isolating. E.g. In C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log, when you stop a service for example you see:

    2022-12-09T18:49:51.180Z [14140:13696] A Recalculating isolation: Self isolated: True, Admin isolated: False
    2022-12-09T18:49:51.185Z [14140:13696] A Sophos Health is:RED

    In this case I stopped the Sophos File Scanner service, so in the Health.log:

    2022-12-09T18:46:51.246Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0
    2022-12-09T18:48:51.087Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:06.097Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:21.115Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:36.149Z [17152:12160] I Ignored service check results: one or more service(s) not running for the first time
    2022-12-09T18:49:51.177Z [17152:12160] I Posting service stopped event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
    2022-12-09T18:49:51.434Z [17152: 5200] I Processing event id: a718dd7c-97a8-49bc-ae3e-bd3816363558
    2022-12-09T18:49:51.438Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0
    2022-12-09T18:49:51.445Z [17152: 5200] I Processing event id: cfe239e1-85c1-4350-86ad-3f28f86c77b7
    2022-12-09T18:49:51.447Z [17152: 5200] I Health state has changed to - Overall: 3, Service: 3, Threat: 0

    The service state, at each sample goes under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\[instance]\

    service = 3 and health = 3

    If I start the service again, when Sophos Health re-checks, it reverts the state back to OK:

    2022-12-09T18:54:21.512Z [17152:12160] I Posting service started event: b79f00ed-22cf-4191-bf28-ff2d8f4d9e0d Sophos File Scanner Service (threat service)
    2022-12-09T18:54:21.770Z [17152: 5200] I Processing event id: bd281f67-585a-40cd-aef8-975863bb93b1
    2022-12-09T18:54:21.777Z [17152: 5200] I Health state has changed to - Overall: 2, Service: 1, Threat: 0
    2022-12-09T18:54:21.787Z [17152: 5200] I Processing event id: b67a6fcc-e143-4a9e-b10b-82a4374d96cd
    2022-12-09T18:54:21.789Z [17152: 5200] I Health state has changed to - Overall: 1, Service: 1, Threat: 0

    SophosNTPService.log:

    2022-12-09T18:54:21.520Z [14140:13696] A Recalculating isolation: Self isolated: False, Admin isolated: False
    2022-12-09T18:54:21.524Z [14140:13696] A Sophos Health is:GREEN

    And the computer is taken out of isolation.

    From the Service state 3 in your log, one or more services are stopped. It also checks processes so not just Windows services. E.g. depending on the setup, the following processes which are child processes of the services mentioned are also checked for.

    SophosFIleScanner.exe (child processes of Sophos File Scanner service)
    SophosNetFiler.exe (child process of Sophos Network Threat protection service)

    I would check under the last key under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\PersistedStatus\

    at the services set to value 3, when they should be 0 when OK. Which are they?