"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article explains what the Envelopes folder is used for and some causes for the buildup of files within it.
Applies to the following Sophos product(s) Sophos Endpoint Security and Control
The Sophos Remote Management System is used for communication between endpoint computers and the management server. The Envelopes folder is a staging location for messages that are pending delivery to the Sophos Enterprise Console or endpoint computers. The message files may contain policy changes or status notifications, event or alert notifications, or the update status of the endpoint. They can also contain commands for the endpoint to carry out, such as to Update Now or to perform a full system scan.
By default, the Envelopes folder is located in the following location:
\ProgramData\Sophos\Remote Management System\3\Router\Envelopes\
\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Router\
If the communication between the endpoint computers and the management server is working correctly there should be very few, or even zero, message files (.MSG) in the folder. The number of pending messages can vary though, and a number of variables can affect how many messages are stored in this location. Messages can also be generated for disconnected or retired endpoints. Depending on the time-to-live (TTL) of the message, these may remain in the Envelopes directory for up to 2 weeks.
The presence of .MSG files in the Envelopes folder in itself does not represent a problem. However, if there are a large number of .MSG files (large defined as 3x's the number of managed endpoints or more) this could indicate a problem that needs to be addressed. Deleting the .MSG files generally only addresses the symptom and does not address the cause, so this should be avoided whenever possible.
The first step to re-mediate a message delivery issue is by restarting the Sophos services.
It may take a few minutes for the message count to start decreasing. If the issue is not resolved, please see below for more information on what to check.
Message buildup in the Envelopes directory may occur if the server does not have sufficient memory, processor, or disk I/O resources available. Below are some scenarios to consider:
Comply With | All Group Policies
If the Windows Firewall is enabled but not configured for use with the Remote Management System this may cause a delay in message delivery. See article 12340 for directions on configuring the Windows Firewall to avoid this.
In some situations where the boot volume is a small partition on the drive, it may be desirable to move the Envelopes directory to a different location. See article 113040 for directions on how to do this.
This is typically not related to a MSG buildup in the Envelopes folder. To investigate this further, see article 112127.
If the information in this article has not helped resolved the issue, please contact Technical Support for further assistance.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.