Issue – Upgrade from Spectrum 0.6 to 0.7 will fail if Sophos Clean has put the computer into ‘lockdown’
Spectrum 0.6 runs Sophos Clean whenever a ransomware or exploit is detected. If Sophos Clean does find something, the registry is locked down until next reboot. This helps to ensure that re-infection does not happen. Lockdown is cleared on next reboot, once the malware has been fully removed. If, however, an endpoint upgrades from 0.6 to 0.7 whilst the computer is in lockdown mode, the upgrade will fail with several components (including SAU) being removed.
How do I know Sophos Clean found something and put the computer in lockdown?
Check for any SophosClean_<timestamp>log files in C:\ProgramData\Sophos\Clean\Logs. A new log is created every time SophosClean runs. Review the logs to see whether malware was detected – if so, the computer is likely to be in lockdown.
How do I prevent the upgrade from failing?
Ensure your endpoint is rebooted before the update is applied.
How do I identify affected endpoints that failed the upgrade because of this?
The local endpoint health reported in the XGUI will be red. The events panel in XGUI will show that several services are missing from the endpoint.
Endpoint health reported in Central will also be red.
How do I remediate a broken endpoint?
Options:
- As a local administrator run the SAU installer found in: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sau
This will reinstall the updating component and on the next update will reinstall any broken components.
- Uninstall the endpoint from “Add Remove Programs”.
Download installer from Central and reinstall.