PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
This article provides information on why Guest VMs protected by Sophos for Virtual Environments may not show up in the ProtectedGVMs.log file on the Security Virtual Machine even though the Sophos Guest VM Agent has been installed.
This log files is located on the Security Virtual Machine (SVM) in:
\\<SVM IP ADDRESS>\logs\
Note. Please replace <SVM IP ADDRESS> with the IP address assigned to the SVM during the SVM installation wizard. You will need to use the username sophos and the support password specified during the installation of the SVM to access this share.
This file will only exist if at least one Guest VM has reported back to the SVM.
Applies to the following Sophos product(s) and version(s) Sophos For Virtual Environments
There are a number of reasons why machines may not appear as protected in the ProtectedGVMs.log file on the SVM. These are detailed but not limited to those below:
The Sophos Guest VM Agent does not actually perform the scanning on the Guest VM. In fact it can be considered more of an "updater" for the GVM Scanning service. Dependent on network traffic and load on the SVM and Guest VM it can take a few minutes from the time the Sophos Guest VM agent is installed before the Sophos GVM Scanning Service component is updated and installed by the Guest VM agent.
If the GVM Scanning service appears to never install correctly then please gather a set of diagnostic logs (following KBA 33556) and submit them to Sophos Support for analysis.
As the Guest VM sends information to the SVM using the network infrastructure on your estate (be it internal or external to your host) a stable network connection is required between the Guest VM agent and the SVM. Please make sure that the IP address specified in the Guest VM Agent installer is routable from the client machine.
If the Sophos GVM Scanning Service is stopped then the machine will not be reported as protected on the SVM. Please check that the Sophos GVM Scanning Service is not disabled in Windows Services and is started. If the service fails to start then please uninstall the GVM Scanning Service and reinstall the Sophos Guest VM Agent.
If the Guest VM is powered off then it will not be reporting its status back to the SVM and therefore will not be listed as protected in the ProtectedGVMs.log. Once the machine is powered on it should report in and will then be listed as protected.
As Sophos for Virtual Environments uses your network to transmit files from the Guest VMs to the SVM if the IP changes on the SVM then this connection will be lost. We require that static IPs are used on your network. To fix this either return the SVM to the correct static IP or reinstall the Guest VM Agent and point it towards the new SVM IP.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.