This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Intercept X with XDR on Servers "Reboot to complete update; computer stays protected"

Why does Sophos Central want me to restart the Servers, if there are no differences between the component versions on Servers that are up to date (Events: "Update succeeded") and those who sophos central want to reboot (Events: "Reboot to complete update; computer stays protected")?

What is actually changed?

Since the rollout of Intercept X with XDR in the servers in February sophos central indicated every week, that i should reboot nearly all servers.

Serverreboots in our environment must be planed and supervised and users must stop working, so we decidet to schedule reboots only every 3 months for Windows Updates.



This thread was automatically locked due to age.
Parents
  • Hi Studierendenwerk,

    Try checking the following registry key. Let me know if any drivers are waiting to be reloaded on the system(s) which require reboots.
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    Key: PendingFileRenameOperations

    To find out definitively, we would need to look into the updating logs to find out which specific component installed an update or ran a repair operation (similar to an over-top installation). You can find the install logs related to each component in the "C:\Windows\Temp" directory.

    If you only wish to reboot your servers every 3 months, I suggest looking into the Software packages to control updating on your systems. A Fixed term support package may be beneficial for your specific use-case. 
    - Software packages

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Studierendenwerk,

    Try checking the following registry key. Let me know if any drivers are waiting to be reloaded on the system(s) which require reboots.
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    Key: PendingFileRenameOperations

    To find out definitively, we would need to look into the updating logs to find out which specific component installed an update or ran a repair operation (similar to an over-top installation). You can find the install logs related to each component in the "C:\Windows\Temp" directory.

    If you only wish to reboot your servers every 3 months, I suggest looking into the Software packages to control updating on your systems. A Fixed term support package may be beneficial for your specific use-case. 
    - Software packages

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Thank you for the info about "PendingFileRenameOperations".

    Thats what i found on Servers that should be rebooted:

    \??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe.0
    \??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence
    \??\C:\Program Files (x86)\Common Files\Sophos
    \??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\scf.dat.0
    \??\C:\Program Files (x86)\Common Files\Sophos\Web Intelligence
    \??\C:\Program Files (x86)\Common Files\Sophos
    \??\C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll.stf00
    \??\C:\Windows\system32\SophosAV\sophos_detoured_x64.dll.stf00
    \??\C:\Windows\SysWOW64\SophosAV
    \??\C:\Windows\system32\SophosAV
    \??\C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    \??\C:\Program Files (x86)\Sophos
    \??\C:\Windows\system32\drivers\SophosED_8a342f69-19fd-4919-a2bc-376d4b912329
    \??\C:\Windows\TEMP\yyd5q1qqoq4la5u1bv3gwotcc70q1e9o.tmp

    What does it say about the urgency of an reboot?

    That new feature "Sheduled Updates" ist neat.

  • Some of the components shown here are quite old now and should no longer be present on the latest installations of Sophos on Server or Workstation OS'. 

    Namely the following:
    - swi_fc.exe (Sophos Web Intelligence)
    - scf.dat (Sophos Web Intelligence)
    - sophos_detoured.dll.stf00 (Sophos Anti-Virus/On Access Scanning)

    Some additional information on these changes can be found in the following article. 
    - Sophos Intercept X for Windows: Product architecture changes

    If your systems are continuing to operate normally, it may not be critical to reboot right away, but I do suggest planning for this in the near future.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids