Sophos System Protection service terminates unexpectedly

Any chance a scheduled scan runs at that time or at least is still running at that time? If a scheduled scan is running Sophosscancoordinator.exe will be running. 

No scheduled scans running at that time

Hello, is that because you know there aren't scheduled scans configured at all?

If a scheduled scan is configured the following reg key will exist:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

Details of the scan are in the REG_SZ TaskInfo.

If it is configured, the log file C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log contains the following when it starts:

23-06-07T16:30:48.159Z [ 2936: 3064] A Starting SophosScanCoordinator
2023-06-07T16:30:48.160Z [ 2936: 3064] I Initializing policy UserInterface from registry.
2023-06-07T16:30:48.161Z [ 2936: 3064] I Updating policy UserInterface to version 20230607094910274075
2023-06-07T16:30:48.161Z [ 2936: 3064] I SophosScanCoordinator launched as SYSTEM
2023-06-07T16:30:48.161Z [ 2936: 3064] I SophosScanCoordinator launched by SCHEDULER
2023-06-07T16:30:48.163Z [ 2936: 3064] I Adding C:\ to scan paths.
2023-06-07T16:30:48.163Z [ 2936: 3064] I Sending 'Hello' message to SSP.
2023-06-07T16:30:48.164Z [ 2936: 3064] I Received 'Hi' message from SSP. Using 3 exclusion(s).
2023-06-07T16:30:48.164Z [ 2936: 3064] I Starting file scan.
2023-06-07T16:30:48.164Z [ 2936: 8096] I Starting memory scan.
2023-06-07T16:30:48.164Z [ 2936: 7516] I Starting Master Boot Record scan.
2023-06-07T16:30:50.180Z [ 2936: 8096] I Total memory scan detections: 0
2023-06-07T16:30:50.180Z [ 2936: 8096] I Finished Memory scan in 2 seconds
2023-06-07T16:30:50.180Z [ 2936: 8096] I Starting journey from root path: \\?\C:\
2023-06-07T16:30:52.124Z [ 2936: 7516] I Total MBR scan detections: 0
continues.
2023-06-07T16:01:50.167Z [ 2480: 7024] A Scan summary :
* Objects scanned: 264972
* Objects not scanned: 6
* Objects inaccessible: 1215
* Detections:

Note the:
launched as SYSTEM
launched by SCHEDULER
As a way to differentiate other times where on-demand scans are run.

For example, from the UI of the client, it logs to the same log file but has:

launched as SYSTEM
launched by GUI


If you right-click scan from Explorer, the log is actually:
C:\ProgramData\Sophos\Sophos UI\Logs\SophosScanCoordinator.log
But says:

launched as USER

in all cases SophosScanCoordinator.exe runs for the duration.  I suppose you could check in 
C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log
so see if there are any references to the SophosScanCoordinator.exe starting.  It will not have the end time though.

I'd just like to be sure no-on demand or scheduled scan was running.  Thanks,

As I already said, no schedule scans at that time nor any on-demand tasks at that time.

In that case I would:

- Disable Tamper Protection. 
- Configure via ESH to enable Debug logging for SSPService.exe. 
- Change the recovery mode of the service to take no action:

- Disable updating by renaming "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe" to "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe.off". This will prevent RepairKit from running to re-start the service if it crashes.

- Create C:\dumps\
- Download ProcDump - Sysinternals | Microsoft Learn so you have C:\dumps\procdump.exe
- Run in an admin prompt:
C:\dumps\procdump -ma -i C:\dumps

If you do this prior the issue, when it next happens you will have:
- Debug logging of SSPService.exe up to the point of the crash.
- A crash dump of the process under C:\dumps\.  There might even be 2 but the first is sufficient. The logs will give context to the dump.

I would send this info to Sophos along with a SDU, which ca be run from ESH and you can submit the file directly to Sophos and just provide the filename shown.

You can undo all the config changes and remove the configuration of procdump by running procdump -u

In that case I would:

- Disable Tamper Protection. 
- Configure via ESH to enable Debug logging for SSPService.exe. 
- Change the recovery mode of the service to take no action:

- Disable updating by renaming "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe" to "C:\Program Files\Sophos\AutoUpdate\SophosLaunchUpdate.exe.off". This will prevent RepairKit from running to re-start the service if it crashes.

- Create C:\dumps\
- Download ProcDump - Sysinternals | Microsoft Learn so you have C:\dumps\procdump.exe
- Run in an admin prompt:
C:\dumps\procdump -ma -i C:\dumps

If you do this prior the issue, when it next happens you will have:
- Debug logging of SSPService.exe up to the point of the crash.
- A crash dump of the process under C:\dumps\.  There might even be 2 but the first is sufficient. The logs will give context to the dump.

I would send this info to Sophos along with a SDU, which ca be run from ESH and you can submit the file directly to Sophos and just provide the filename shown.

You can undo all the config changes and remove the configuration of procdump by running procdump -u