Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scheduled Scan is deactivated in policy - keeps getting started

DnielTamb

One of our customer wanted to deactivate the Sophos Scheduled Scan on the client devices.

I changed the settings in the Threat Protection Base-Policy. But the clients still do a weekly scheduled scan.

Is there any other option in the policy settings than this one? 

I can see in the computer properties that the policy has been updated to the client.

Last Friday I also created a new Policy and assgined it to the clients to see if something changes - Nope, the clients still do a Scheduled Scan.

As you can see, one of the Client uses the newly created Policy

And the base Policy says that the scheduled scan isnt active:

In the history of the client you will see that it did a scheduled  Scan today:

I used Sophos Endpoint Self Help to check if the policys where received on the client, which also looks good:



This thread was automatically locked due to age.
  • 0

    Hi DnielTamb,

    Thanks for reaching out to the Sophos Community Forum. 

    As an initial step, could you try cloning the current policy you have, then re-apply the cloned policy to the device? 

    Try checking the following registry location as well.
    - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\<version>\scheduled_scans

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
    • +1

      SEDService.exe is responsible for managing the launching of the scheduled tasks.

      If there is a scheduled scan configured. it will be setup here:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

      If the the policy for the device defines there isn't one the SophosScheduledScan key shouldn't exist

      I would suggest::

      1. Check the key, assumption is it's there.

      2. Change the policy, e.g. the time of the scan, does the TaskInfo value change?

      3. Remove the scheduled scan from policy. does the key get removed.

      It might take a minute between each policy change for the setting to be reflected, assuming that MCSClient.exe is happily talking to Central.  You might want to check mcsclient.log to confirm if there is a delay:

      From a PS admin prompt:

      Get-Content 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\McsClient.log' -wait -tail 10

      If the task is not getting removed.  I would use ESH to enable debug logging for the SSPService.exe, do you see any logs regarding the management of the schedule?

      Prior to SEDService.exe managing the tasks it used to be a Windows Scheduled Task.  I suppose there is a chance that the old task might have been left behind during the migration. Something to check if the SophosScheduledScan key isn't present.