"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
If Sophos Anti-Virus is removed from a message relay server, and that computer is then reinstalled as a message relay server, any previously unsent messages on the workstations reporting to the server are not forwarded to the computer running Enterprise Console, but are left unsent. Also, no new messages are sent until the Sophos Agent has been restarted.
First seen in Sophos Anti-Virus for Windows 2000+ 7.6.21
If a server is installed as a message relay server, and Sophos Anti-Virus is then removed from it while workstations are attached to it, those workstations will no longer communicate with the main console server. If the old message relay server is reinstalled with Sophos Anti-Virus, and again established as a message relay server using the same Central Installation Directory (CID) as before, and to manage the same workstations, when a 'Comply' message is sent to those workstation the unsent messages remain unsent. No messages are received from the workstations, either.
This happens because during installation the message relay router is given a token type ID which forms part of the router address used by the Sophos Remote Management System (RMS). When it is re-installed it is given a different ID. The unsent messages used the old ID.
If the Sophos Agent is restarted on the workstations, all new messages will be correctly sent. However, the old messages will remain in the envelopes folder as they point to the wrong router address.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.