Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Why does Sophos Central want me to restart the Servers, if there are no differences between the component versions on Servers that are up to date (Events: "Update succeeded") and those who sophos central want to reboot (Events: "Reboot to complete update; computer stays protected")?
What is actually changed?
Since the rollout of Intercept X with XDR in the servers in February sophos central indicated every week, that i should reboot nearly all servers.
Serverreboots in our environment must be planed and supervised and users must stop working, so we decidet to schedule reboots only every 3 months for Windows Updates.
Try checking the following registry key. Let me know if any drivers are waiting to be reloaded on the system(s) which require reboots.Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerKey: PendingFileRenameOperations
To find out definitively, we would need to look into the updating logs to find out which specific component installed an update or ran a repair operation (similar to an over-top installation). You can find the install logs related to each component in the "C:\Windows\Temp" directory.
If you only wish to reboot your servers every 3 months, I suggest looking into the Software packages to control updating on your systems. A Fixed term support package may be beneficial for your specific use-case. - Software packages
Thank you for the info about "PendingFileRenameOperations".
Thats what i found on Servers that should be rebooted:
\??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe.0\??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\??\C:\Program Files (x86)\Common Files\Sophos\??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\scf.dat.0\??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\??\C:\Program Files (x86)\Common Files\Sophos\??\C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll.stf00\??\C:\Windows\system32\SophosAV\sophos_detoured_x64.dll.stf00\??\C:\Windows\SysWOW64\SophosAV\??\C:\Windows\system32\SophosAV\??\C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\??\C:\Program Files (x86)\Sophos\??\C:\Windows\system32\drivers\SophosED_8a342f69-19fd-4919-a2bc-376d4b912329\??\C:\Windows\TEMP\yyd5q1qqoq4la5u1bv3gwotcc70q1e9o.tmp
What does it say about the urgency of an reboot?
That new feature "Sheduled Updates" ist neat.
Some of the components shown here are quite old now and should no longer be present on the latest installations of Sophos on Server or Workstation OS'.
Namely the following:- swi_fc.exe (Sophos Web Intelligence)- scf.dat (Sophos Web Intelligence)- sophos_detoured.dll.stf00 (Sophos Anti-Virus/On Access Scanning)
Some additional information on these changes can be found in the following article. - Sophos Intercept X for Windows: Product architecture changes
If your systems are continuing to operate normally, it may not be critical to reboot right away, but I do suggest planning for this in the near future.