This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scheduled Scan is deactivated in policy - keeps getting started

One of our customer wanted to deactivate the Sophos Scheduled Scan on the client devices.

I changed the settings in the Threat Protection Base-Policy. But the clients still do a weekly scheduled scan.

Is there any other option in the policy settings than this one? 

I can see in the computer properties that the policy has been updated to the client.

Last Friday I also created a new Policy and assgined it to the clients to see if something changes - Nope, the clients still do a Scheduled Scan.

As you can see, one of the Client uses the newly created Policy

And the base Policy says that the scheduled scan isnt active:

In the history of the client you will see that it did a scheduled  Scan today:

I used Sophos Endpoint Self Help to check if the policys where received on the client, which also looks good:

This thread was automatically locked due to age.
  • SEDService.exe is responsible for managing the launching of the scheduled tasks.

    If there is a scheduled scan configured. it will be setup here:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    If the the policy for the device defines there isn't one the SophosScheduledScan key shouldn't exist

    I would suggest::

    1. Check the key, assumption is it's there.

    2. Change the policy, e.g. the time of the scan, does the TaskInfo value change?

    3. Remove the scheduled scan from policy. does the key get removed.

    It might take a minute between each policy change for the setting to be reflected, assuming that MCSClient.exe is happily talking to Central.  You might want to check mcsclient.log to confirm if there is a delay:

    From a PS admin prompt:

    Get-Content 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\McsClient.log' -wait -tail 10

    If the task is not getting removed.  I would use ESH to enable debug logging for the SSPService.exe, do you see any logs regarding the management of the schedule?

    Prior to SEDService.exe managing the tasks it used to be a Windows Scheduled Task.  I suppose there is a chance that the old task might have been left behind during the migration. Something to check if the SophosScheduledScan key isn't present.

  • Checked it, the key was there!
    I followed your steps and checked again - now the key has been removed. 

    Thank you! 

  • Glad that got it. Not sure why it didn’t get removed the first time. Thanks for the update. 

Reply Children
No Data