Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 16 subscribers
  • Views 4025 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos System Protection service terminates unexpectedly

April Beachy

We have one computer where Sophos System Protection service terminates unexpectedly. It does it every Wednesday and Friday at about the same time. 

We have uninstalled and reinstalled Sophos. We have wiped and reinstalled the computer and it is still happening.

When the service stops the computer isolates which causes issues for the user.

What can be causing it? We have checked the task scheduler and there is nothing there. We have checked the events and other than the ones relating to the service stopping and restarting, there is nothing there. Are there any logs we can review to determine the cause?

Like I said this is happening on one computer out of 300.



This thread was automatically locked due to age.
  • 0

    Hi April,

    Thanks for reaching out to the Sophos Community Forum. 

    There is a neighbouring thread where similar issues were discussed. Have you tried any of the answers suggested here? 
    - Sophos System Protection Service restarted/stopped loop

    Have you observed any increase in memory usage with the SSP service as well? 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    Any chance a scheduled scan runs at that time or at least is still running at that time? If a scheduled scan is running Sophosscancoordinator.exe will be running. 

  • 0 in reply to Sophos User930

    No scheduled scans running at that time

  • 0

    We think it is related to Windows Defender.  Windows Defender sees Sophos, but it still acts as if there is no antivirus and is running and does not turn off.  We have tried to edit the registry to set it to not check for AV and we are seeing if this fixes the issue.

  • 0 in reply to April Beachy

    Hello, is that because you know there aren't scheduled scans configured at all?

    If a scheduled scan is configured the following reg key will exist:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    Details of the scan are in the REG_SZ TaskInfo.

    If it is configured, the log file C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log contains the following when it starts:

    23-06-07T16:30:48.159Z [ 2936: 3064] A Starting SophosScanCoordinator
    2023-06-07T16:30:48.160Z [ 2936: 3064] I Initializing policy UserInterface from registry.
    2023-06-07T16:30:48.161Z [ 2936: 3064] I Updating policy UserInterface to version 20230607094910274075
    2023-06-07T16:30:48.161Z [ 2936: 3064] I SophosScanCoordinator launched as SYSTEM
    2023-06-07T16:30:48.161Z [ 2936: 3064] I SophosScanCoordinator launched by SCHEDULER
    2023-06-07T16:30:48.163Z [ 2936: 3064] I Adding C:\ to scan paths.
    2023-06-07T16:30:48.163Z [ 2936: 3064] I Sending 'Hello' message to SSP.
    2023-06-07T16:30:48.164Z [ 2936: 3064] I Received 'Hi' message from SSP. Using 3 exclusion(s).
    2023-06-07T16:30:48.164Z [ 2936: 3064] I Starting file scan.
    2023-06-07T16:30:48.164Z [ 2936: 8096] I Starting memory scan.
    2023-06-07T16:30:48.164Z [ 2936: 7516] I Starting Master Boot Record scan.
    2023-06-07T16:30:50.180Z [ 2936: 8096] I Total memory scan detections: 0
    2023-06-07T16:30:50.180Z [ 2936: 8096] I Finished Memory scan in 2 seconds
    2023-06-07T16:30:50.180Z [ 2936: 8096] I Starting journey from root path: \\?\C:\
    2023-06-07T16:30:52.124Z [ 2936: 7516] I Total MBR scan detections: 0
    continues.
    2023-06-07T16:01:50.167Z [ 2480: 7024] A Scan summary :
    * Objects scanned: 264972
    * Objects not scanned: 6
    * Objects inaccessible: 1215
    * Detections:

    Note the:
    launched as SYSTEM
    launched by SCHEDULER
    As a way to differentiate other times where on-demand scans are run.

    For example, from the UI of the client, it logs to the same log file but has:

    launched as SYSTEM
    launched by GUI


    If you right-click scan from Explorer, the log is actually:
    C:\ProgramData\Sophos\Sophos UI\Logs\SophosScanCoordinator.log
    But says:

    launched as USER

    in all cases SophosScanCoordinator.exe runs for the duration.  I suppose you could check in 
    C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log
    so see if there are any references to the SophosScanCoordinator.exe starting.  It will not have the end time though.

    I'd just like to be sure no-on demand or scheduled scan was running.  Thanks,

  • 0 in reply to Sophos User930

    As I already said, no schedule scans at that time nor any on-demand tasks at that time.

  • 0 in reply to April Beachy

    is it a server?

    MsMpEng.exe must not run. if it runs, defender is enabled.

  • 0 in reply to April Beachy

    In that case I would:

    - Disable Tamper Protection. 
    - Configure via ESH to enable Debug logging for SSPService.exe. 
    - Change the recovery mode of the service to take no action:

    - Disable updating by renaming "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe" to "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe.off". This will prevent RepairKit from running to re-start the service if it crashes.

    - Create C:\dumps\
    - Download ProcDump - Sysinternals | Microsoft Learn so you have C:\dumps\procdump.exe
    - Run in an admin prompt:
    C:\dumps\procdump -ma -i C:\dumps

    If you do this prior the issue, when it next happens you will have:
    - Debug logging of SSPService.exe up to the point of the crash.
    - A crash dump of the process under C:\dumps\.  There might even be 2 but the first is sufficient. The logs will give context to the dump.

    I would send this info to Sophos along with a SDU, which ca be run from ESH and you can submit the file directly to Sophos and just provide the filename shown.

    You can undo all the config changes and remove the configuration of procdump by running procdump -u

Unfiltered HTML