Sophos Central Endpoint: Wonder how to perform initial troubleshooting for connection issues with Live Response

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
______________________________________________________________________________________________________________________________

Table of Contents

Overview

This will guide you to perform initial troubleshooting for Sophos Live Response connection issues.

Applies to the following Sophos product(s) and version(s)
Sophos Central Endpoint with XDR or MTR licenses.

 

Introduction


Live Response is a central based Threat hunting / Troubleshooting tool. It allows the central administrators to connect to the Sophos managed endpoints and servers via a secure elevated CMD terminal session. 

The session created through the central console is a full instance of CMD, it can perform any actions that an elevated CMD can do locally on the endpoint device.

The central administrators can use the session to investigate and remediate possible security issues within their company network, and they can stop suspicious processes, restart devices, browse folders, delete files, and more.

Before we can connect to the endpoint devices via Live Response, we will have to make sure the connection can be established first. This article will show you what you can do to perform initial troubleshooting for connection issues from your Sophos Central console to the device in question via Live Response.

 

Troubleshooting steps you can follow

 

From the Central console side:

Make sure the basic requirements for Live Response are fulfilled in the Central console

 

Live Response is a per device session, we can start a session by going to the devices’ main information page. The Live Response button can be found on the left-hand side of the page. By default, the “Live Response” button is greyed out. To start using Live Response, make sure the following conditions are fulfilled.

 

  1. Ensure Live Response is enabled in the Global Settings menu from Sophos Central.

            

           Before we can use Live Response, it needs to be activated by toggling “Allow Live Response connections to computers” to the right.

          

 

  1. Ensure the logged in user has a Super Admin role or has a role that includes "Start Live Response sessions on computers". Multi-factor authentication has to be setup correctly for these users too. 

          

 

           These are the basic requirements that need to be fulfilled. Otherwise, the following warning will pop up when you point your mouse to the Live Response button.

           

 

  1. Ensure the endpoint device we are about to connect to is powered on. Otherwise, the following warning will popup when you point your mouse to the Live Response button.

           

 

           If the endpoint is indeed turned on physically but the Live Response button still shows Offline, we should check whether the Sophos MCS services are up and running on the endpoint device. If not, start them up manually and see if they will stay running. Otherwise, raise support case to Sophos support and we will help you resolve it.

           

        

Once we have all the above conditions covered, the Live Response button should light up and we should be able to click on the button to open the session in a new browser tab.

             

 

Note: Some browser addons might block the session popup, if this happens, add exclusion to the site or disable the browser addon when we need to connect.

From the endpoint side:

After checking everything from the console side, if the Live Response connection still cannot be established, we should take a look at the endpoint device we want to connect to.

 

  1. Ensure Live Response was installed successfully

            To determine if Live Response was installed successfully, we can check if the Program Files\Sophos\Live Terminal folder exists.

            

 

           If this folder is missing, try to disable Tamper Protection* and trigger an update to see if it is re-installed. If it is still not installed, raise a support case with Sophos support and our engineers will assist you to resolve the issue.

           * Disable Tamper Protection: https://support.sophos.com/support/s/article/KB-000036125?language=en_US

           The folder should contain the following files, if the folder exists but is missing some files, use the same method above to address the issue.

           

 

  1. Ensure the two Live Response components both show up in Task Manager

 

           The two main components of Live Response are Sophos-live-terminal.exe and Sophos-winpty-agent.exe.

 

           These two executables should both show up for a successful Live Response connection, if either one of them is missing, the connection from the console will fail. Contact Sophos support if you face this issue.

           

 

Hopefully, you’ll find these simple tips helpful in troubleshooting Live Response connection issues. Have a lovely day.



Formatting changes
[edited by: Yashraj at 9:05 AM (GMT -8) on 4 Mar 2022]