While Restoring a VM Server with Sophos on it, Are there any pre requisites from Sophos Endpoint perspective ?

Hi blueskies,

Thanks for reaching out to the Sophos Community Forum.

Could you elaborate on what symptoms you're seeing currently? Generally, the update processes will perform self-repair operations where needed. 

If the entire system image is taken from a previous state, this may cause some brief discrepancies with reporting and component versions, but after updating the device should return to operating normally.

Restore of VMs are not planned for us to disable tamper in Advance, As part of our backup policy Snapshots are taken for few servers as per schedule and based on the scenarios there we might try restoring VM

Scenarios where we could restore VMs

• Data Corruption or Loss
• Software or OS Updates Gone Wrong
• Security Incidents
• Testing and Development
• Disaster Recovery

Now about events are not planned but can occur anytime, Thus my question again what is the official recommendation? When a snapshot is restored and when a snapshot is taken is there any recommendation?

Regards to Sophos broken,

The Sophos UI does not appear on the Server to disable tamper and try restarting service or any t/s.

Current status of Server on Central - Last Sophos Central Activity a month ago | Last Agent Update a month ago

Only fix to this is Booting in REcovery mode to re install SOphos as SAFE mode is ruled out.

Restore of VMs are not planned for us to disable tamper in Advance, As part of our backup policy Snapshots are taken for few servers as per schedule and based on the scenarios there we might try restoring VM

Scenarios where we could restore VMs

• Data Corruption or Loss
• Software or OS Updates Gone Wrong
• Security Incidents
• Testing and Development
• Disaster Recovery

Now about events are not planned but can occur anytime, Thus my question again what is the official recommendation? When a snapshot is restored and when a snapshot is taken is there any recommendation?

Regards to Sophos broken,

The Sophos UI does not appear on the Server to disable tamper and try restarting service or any t/s.

Current status of Server on Central - Last Sophos Central Activity a month ago | Last Agent Update a month ago

Only fix to this is Booting in REcovery mode to re install SOphos as SAFE mode is ruled out.

When these issues occur upon restoration, could you try running the following command line to disable Tamper Protection? 
- SEDcli.exe -OverrideTPoff <password>

Once this is done, I'd suggest running the following command line with a new installer package. 
- SophosSetup.exe --registeronly 

May I ask on what schedule the backups are taken? There is a possibility that if the backup is running a much older version of components, this could cause the issues you're experiencing.

If you have a device still in the erroneous state, I'd suggest gathering an SDU log from the device. I will contact you via PM to request the logs to take a closer look.

The CLI does not work as there no SEDCLI in the directory 

It was restored from last weeks backup 

I already have reported a case to Sophos and i did not get a proper answers on 

- When a VM is restored from a SNAPSHOT Backup why does it go into bad state

- Why is the KEY not working 

Last option we see is  Sophos has changed SAFE Mode T/s to Recovery Mode method for un install or re install the VM

SDU logs sharing has not helped us

Can you replicate the behaviour you observed when restoring from a backup each time you perform this operation or is this the first occurrence you've seen? 

When checking on your opened support case related to this issue, I'm unable to find an SDU log provided. Could you share an SDU with me via PM so I may take a look?