Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 18732 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The Sophos Agent service terminated unexpectedly. event id 7031

waynecutler

The Sophos Agent service terminated unexpectedly.  It has done this 61 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

On all 8 of our citrix servers we are seeing this in the event logs.  

Why is this happening and what is the fix for it?

running sophos entreprise  - client version 10.6



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I would initially look in the Agent log file to see if that suggests anything.  These can be found: "C:\ProgramData\Sophos\Remote Management System\3\Agent\logs\".

    It might be worth setting:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent

    LogLevel = 2  (DWORD)

    First to get more details in the logs as Level 2 = trace.

    Does it always have the same message before, same error, etc...?

    The second option is to obtain a dump of the process when it crashes.  You will probably need to send it to Support though as it may well require symbols/code to understand.

    The easiest way would be:
    1. Download procdump.exe - https://technet.microsoft.com/en-gb/sysinternals/dd996900.aspx

    2. Create the dir: "C:\dumps\"

    3. In an admin prompt run:
    procdump -ma -i c:\dumps

    This will register Procdump as the Just-in-Time (AeDebug) debugger.

    4. Next time it crashes you'll have a dump, possibly 2 in c:\dumps.  You can delete the second one.

    It might be worth getting few to see if it's a consistent state.  The trace log at the same time would also be worth submitting.

    You can run:
    procdump -u

    Once dumps are captured to remove Procdump as the Just-in-Time (AeDebug) debugger.

    There is a good chance that the issue is with an adapter dll loaded by the ManagementAgentNT.exe process.  

    So even just opening up the dump in Windbg, looking at the crashing stack at the modules.  There is a good chance you will see the crashing adapter.   That would be one step closer.  The list of adapters can be found under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent\Adapters.

    Feel free to post the crash here and I can take a quick look.

    Regards,
    Jak


     

  • 0 in reply to jak

    Agent-20170403-221640.loghere is a log from today where its happening

    always the same message

    The Sophos Agent service terminated unexpectedly.  It has done this 27 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Reply Children
No Data
Unfiltered HTML