This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The Sophos Agent service terminated unexpectedly. event id 7031

The Sophos Agent service terminated unexpectedly. It has done this 61 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

On all 8 of our citrix servers we are seeing this in the event logs.

Why is this happening and what is the fix for it?

running sophos entreprise - client version 10.6

This thread was automatically locked due to age.

0 jak over 7 years ago

Hi,

I would initially look in the Agent log file to see if that suggests anything. These can be found: "C:\ProgramData\Sophos\Remote Management System\3\Agent\logs\".

It might be worth setting:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent

LogLevel = 2 (DWORD)

First to get more details in the logs as Level 2 = trace.

Does it always have the same message before, same error, etc...?

The second option is to obtain a dump of the process when it crashes. You will probably need to send it to Support though as it may well require symbols/code to understand.

The easiest way would be:
1. Download procdump.exe - https://technet.microsoft.com/en-gb/sysinternals/dd996900.aspx

2. Create the dir: "C:\dumps\"

3. In an admin prompt run:
procdump -ma -i c:\dumps

This will register Procdump as the Just-in-Time (AeDebug) debugger.

4. Next time it crashes you'll have a dump, possibly 2 in c:\dumps. You can delete the second one.

It might be worth getting few to see if it's a consistent state. The trace log at the same time would also be worth submitting.

You can run:
procdump -u

Once dumps are captured to remove Procdump as the Just-in-Time (AeDebug) debugger.

There is a good chance that the issue is with an adapter dll loaded by the ManagementAgentNT.exe process.

So even just opening up the dump in Windbg, looking at the crashing stack at the modules. There is a good chance you will see the crashing adapter. That would be one step closer. The list of adapters can be found under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent\Adapters.

Feel free to post the crash here and I can take a quick look.

Regards,
Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 waynecutler over 7 years ago in reply to jak

Agent-20170403-221640.loghere is a log from today where its happening

always the same message

The Sophos Agent service terminated unexpectedly. It has done this 27 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matt Schmitt over 7 years ago

I'm see this as well. In addition, I'm getting Event id: 16002;

"Closing a UDP socket with local port number 49792 in process 8020 is taking longer than expected. The local port number may not be available until the close operation is completed. This happens typically due to misbehaving network drivers. Ensure latest updates are installed for Windows and any third-party networking software including NIC drivers, firewalls, or other security products. "

I found these events, because I'm have issues with the internet on my new VDIs. When you first log in and open the internet, the home page fails to load. Just sits there and never loads anything. I have to then close the browser (happening in Edge, IE & Chrome) and reopen for pages to start loading.

Since uninstalling Sophos from my test VDI, everything works as it should and I'm no longer getting the above events.

I would love to know what is causing this, so that I can re-install Sophos on my VDIs!

Matt
Cancel
Vote Up 0 Vote Down

Cancel
0 Matt Schmitt over 7 years ago in reply to Matt Schmitt

UPDATE: I found that the latest versions of Malwarebyte and Sophos do not play well together. After uninstalling MB, all browsers started working and I'm no longer seeing these events.

Matt
Cancel
Vote Up 0 Vote Down

Cancel