Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.______________________________________________________________________________________________________________________________
This will guide you to perform initial troubleshooting for Sophos Live Response connection issues.
Applies to the following Sophos product(s) and version(s) Sophos Central Endpoint with XDR or MTR licenses.
Live Response is a central based Threat hunting / Troubleshooting tool. It allows the central administrators to connect to the Sophos managed endpoints and servers via a secure elevated CMD terminal session.
The session created through the central console is a full instance of CMD, it can perform any actions that an elevated CMD can do locally on the endpoint device.
The central administrators can use the session to investigate and remediate possible security issues within their company network, and they can stop suspicious processes, restart devices, browse folders, delete files, and more.
Before we can connect to the endpoint devices via Live Response, we will have to make sure the connection can be established first. This article will show you what you can do to perform initial troubleshooting for connection issues from your Sophos Central console to the device in question via Live Response.
From the Central console side:
Make sure the basic requirements for Live Response are fulfilled in the Central console
Live Response is a per device session, we can start a session by going to the devices’ main information page. The Live Response button can be found on the left-hand side of the page. By default, the “Live Response” button is greyed out. To start using Live Response, make sure the following conditions are fulfilled.
Before we can use Live Response, it needs to be activated by toggling “Allow Live Response connections to computers” to the right.
These are the basic requirements that need to be fulfilled. Otherwise, the following warning will pop up when you point your mouse to the Live Response button.
If the endpoint is indeed turned on physically but the Live Response button still shows Offline, we should check whether the Sophos MCS services are up and running on the endpoint device. If not, start them up manually and see if they will stay running. Otherwise, raise support case to Sophos support and we will help you resolve it.
Once we have all the above conditions covered, the Live Response button should light up and we should be able to click on the button to open the session in a new browser tab.
Note: Some browser addons might block the session popup, if this happens, add exclusion to the site or disable the browser addon when we need to connect.
From the endpoint side:
After checking everything from the console side, if the Live Response connection still cannot be established, we should take a look at the endpoint device we want to connect to.
To determine if Live Response was installed successfully, we can check if the Program Files\Sophos\Live Terminal folder exists.
If this folder is missing, try to disable Tamper Protection* and trigger an update to see if it is re-installed. If it is still not installed, raise a support case with Sophos support and our engineers will assist you to resolve the issue.
* Disable Tamper Protection: https://support.sophos.com/support/s/article/KB-000036125?language=en_US
The folder should contain the following files, if the folder exists but is missing some files, use the same method above to address the issue.
The two main components of Live Response are Sophos-live-terminal.exe and Sophos-winpty-agent.exe.
These two executables should both show up for a successful Live Response connection, if either one of them is missing, the connection from the console will fail. Contact Sophos support if you face this issue.
Hopefully, you’ll find these simple tips helpful in troubleshooting Live Response connection issues. Have a lovely day.