3 days ago one of our few Server 2012 R2 lost heartbeat on the firewall with no visible reason. As it is rarely used, a few users started to complain about inaccessible file shares and other problems.
On the server, I first noticed Sophos components named "legacy". Since when are they called like this?
Severity,When,Event,User,"User Groups",Device,"Device Groups","IP Address" Low,"2023-08-22T11:04:27+02:00","Update succeeded",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:44:47+02:00","Sophos Firewall SNXXXXXXXXXXXX reported computer resumed sending heartbeat signals",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:44:01+02:00","Reboot to complete update; computer stays protected in the meantime",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:36:35+02:00","Update succeeded",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:34:40+02:00","Update succeeded",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:33:05+02:00","Server re-protected: SERVERNAME",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:27:06+02:00","Central management has been suspended",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T10:19:08+02:00","Update succeeded",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-22T06:04:22+02:00","Reboot to complete update; computer stays protected in the meantime",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-21T06:04:21+02:00","Reboot to complete update; computer stays protected in the meantime",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-20T06:04:21+02:00","Reboot to complete update; computer stays protected in the meantime",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx High,"2023-08-19T06:10:54+02:00","Sophos Firewall SNXXXXXXXXXXXX reported computer not sending heartbeat signals",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-19T06:00:53+02:00","Scan 'Sophos Central Scheduled Scan' completed",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-19T05:59:10+02:00","Reboot to complete update; computer stays protected in the meantime",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx Low,"2023-08-18T11:56:57+02:00","Update succeeded",n/a,,SERVERNAME,,xxx.xxx.xxx.xxx
The google searchability of the Sophos KB is very good, so I found this KB: https://support.sophos.com/support/s/article/KB-000045533?language=en_US
Sophos Endpoint and Server - Missing Security Heartbeat on Windows legacy platforms
we activated the MR1 fix in Central:
It was the only server having this issue in our environment currently. Eventually some more may come. If agent servers have pending Sophos update reboots, it may take some time until this fix is installed.
We did not try the fix, instead reinstalled the endpoint. The behaviour of the install was a bit strange: first after the message appeared, that the computer is now protected by Sophos, the endpoint showed: a lessage like: no s sophos components installed. Seems like a very "legacy" agent...
Even if not required, we restarted again and then the installed components were reflected by the endpoint agent. But we still had no heartbeat.
The xml file appeared only after the manual agent update and then heartbeat was established with firewall again.
Looks like Sophos is about to cut off Server 2012 R2 support as soon as it is out of MS OS support and is already preparing for that date.
This thread was automatically locked due to age.
