This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Network Threat Protection Service won't start

 Hi Folks.

 

I have a customer saying one of his managed endpoints' (Windows 10) Network Threat Protection Service is not running and when manually restart is clicked nothing happens.

I've googled around a bit seems like no one has seen this issue before?

The endpoint in question belongs to my customer's CIO so I have arranged an onsite session for troubleshooting.

The thing is that about two months ago this CIO's laptop was having issue getting the endpoint reinstalled(due to improper uninstall procedure) and I had to go into safe mode and deleted all related registry keys to fix the issue.

And everything worked for a while until a couple weeks ago my customer inform me that the service has stopped working.

What should I be looking at when I am troubleshooting this particular issue? I know the CIO will be asking me when has that specific service stopped working out of blue.

I would like to prepared some answers for him. Also I am avoiding going through reinstalling everything here. 

Do you guys think I can remove Sophos Network Protection from Program and Features and initiate AutoUpdate to have the component be reinstalled again and resolve the issue?

 

tl;dr: Sophos Network Threat Protection service stopped working and can't be restarted on CIO's Win 10 latop. Will be onsite to troubleshoot. Need some advise. 

 

Thanks

 

po



This thread was automatically locked due to age.
  • Hello po,

    when manually restart is clicked nothing happens
    you should get the pop-up with the progress bar. You don't even get the pop-up or you do, it closes, and subsequently it's still (or rather again) in the stopped state, i.e. Status blank? There should be entries in the Windows System Event (and perhaps Application) log. It likely dosn't get as far as writing to its log in %ProgramData%\Sophos\Sophos Network Threat Protection\Logs\ but you should check this as well.

    Christian

  • I would run Process Monitor [https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx] when starting the service.  Be sure to include the System process in the default filter, it is excluded by default.

    If you capture the service successfully starting on a computer of the same OS and then the failing computer you can play spot the difference.

    When analysing, I would start by looking at the load image events for the process to get a sense of alignment between the 2 logs and where to start.

    You can also run a tool such as API Monitor - http://www.rohitab.com/apimonitor this will give you results of API calls.  A PML, a API Monitor trace comparing both machines would be something to start with.

    Regards,

    Jak

  • Hi Jak,

     

    Thanks for the information. I will have to get myself comfortable around processmonitor first.

     

    I'll keep you guys updated about the results.