Exploits in RCA and support question

Hi,

For those computers missing the swi_service (I am assuming it's just swi_service), this article https://community.sophos.com/kb/en-us/121905 might help restore it.  I re-run the re-register commands.

I guess there is a chance that service may have been missing for a while it's only just now being flagged up in Central as part of Health reporting on service status.

I am aware of an older issue where that service was sometimes lost if the computer was managed by a Sophso Web Appliance.  Also it could be lost if another process opened the swi_service and left a handle to it.  When the Sophos installer attempted to remove the service as part of an update, the service would be marked for deletion by Windows.  When the installer tried to add it back a few seconds later it could not because of the state.  It's not deemed fatal enough to the installer to role back the install. The third party application was fixed to close the handle when done.  So there are a few potential reasons.

Are the computers running the latest version of the Sophos Hitman.Pro, in that they have rebooted recently.  Updates to that component take place at startup as pending rename operations.  I believe there is an event log entry from Hitman Pro to say a version upgrade will happen and a reboot is required.

Regarding the Sophos Data Recorder - There should be a sdr log file under \Programdata\Sophos Data Recorder\ (I'm assuming that is the location but it is under \progrm data\) does that have an error message that could help?

Regards,

Jak

Hi,

For those computers missing the swi_service (I am assuming it's just swi_service), this article https://community.sophos.com/kb/en-us/121905 might help restore it.  I re-run the re-register commands.

I guess there is a chance that service may have been missing for a while it's only just now being flagged up in Central as part of Health reporting on service status.

I am aware of an older issue where that service was sometimes lost if the computer was managed by a Sophso Web Appliance.  Also it could be lost if another process opened the swi_service and left a handle to it.  When the Sophos installer attempted to remove the service as part of an update, the service would be marked for deletion by Windows.  When the installer tried to add it back a few seconds later it could not because of the state.  It's not deemed fatal enough to the installer to role back the install. The third party application was fixed to close the handle when done.  So there are a few potential reasons.

Are the computers running the latest version of the Sophos Hitman.Pro, in that they have rebooted recently.  Updates to that component take place at startup as pending rename operations.  I believe there is an event log entry from Hitman Pro to say a version upgrade will happen and a reboot is required.

Regarding the Sophos Data Recorder - There should be a sdr log file under \Programdata\Sophos Data Recorder\ (I'm assuming that is the location but it is under \progrm data\) does that have an error message that could help?

Regards,

Jak