This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint - Service Sophos Autoupdate stopped

Hello,

 

we often have the problem with the service Sophos Autoupdate stopped. Sophos Enpoint is in error state until we re start the service manually (or restart the computer).

 

 

Can you help me to find a definitive solution? Thanks !



This thread was automatically locked due to age.
Parents
  • Have you checked if there is a group policy script that stops the service? I've seen before a broken deployment script that runs on each startup that disabled/stopped the service for some reason.

     

    Can we also see the AutoUpdate Service log file
    %ProgramData%\Sophos\AutoUpdate\Logs\susvc.log

    Regards,
    Jak

Reply
  • Have you checked if there is a group policy script that stops the service? I've seen before a broken deployment script that runs on each startup that disabled/stopped the service for some reason.

     

    Can we also see the AutoUpdate Service log file
    %ProgramData%\Sophos\AutoUpdate\Logs\susvc.log

    Regards,
    Jak

Children
  • jak said:

    Have you checked if there is a group policy script that stops the service? I've seen before a broken deployment script that runs on each startup that disabled/stopped the service for some reason.

     

    Can we also see the AutoUpdate Service log file
    %ProgramData%\Sophos\AutoUpdate\Logs\susvc.log

    Regards,
    Jak

     

    Hi Jack!

     

    Here the log susvc.log

     

    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO =========================
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO =========================
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO Set process security...
    2020-01-27T13:20:45.025Z [14140: 6884] [v6.1.356.0] INFO Initialising module...
    2020-01-27T13:25:44.663Z [14140: 4784] [v6.1.356.0] INFO Startup delay expired; ready for first update
    2020-01-27T13:25:44.804Z [14140: 8960] [v6.1.356.0] INFO Started update [6588]: "C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe" -ScheduledUpdate -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate\"
    2020-01-27T13:26:36.911Z [14140: 8960] [v6.1.356.0] INFO Finished update [6588]: exit 0
    2020-01-27T13:59:05.551Z [14140: 4784] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO =========================
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO =========================
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Set process security...
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Initialising module...
    2020-01-27T13:59:54.930Z [ 5340: 6968] [v6.1.356.0] INFO Shutting down before expiry of startup delay
    2020-01-27T13:59:54.930Z [ 5340: 6968] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO =========================
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO =========================
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO Set process security...
    2020-01-27T14:08:42.350Z [10020: 4748] [v6.1.356.0] INFO Initialising module...
    2020-01-27T14:13:42.467Z [10020:11572] [v6.1.356.0] INFO Startup delay expired; ready for first update
    2020-01-27T14:13:42.597Z [10020:11836] [v6.1.356.0] INFO Started update [1748]: "C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe" -ScheduledUpdate -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate\"
    2020-01-27T14:14:24.528Z [10020:11836] [v6.1.356.0] INFO Finished update [1748]: exit 0
    2020-01-27T14:17:49.524Z [10020:11572] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-27T15:13:07.234Z [ 5392: 5396] [v6.1.356.0] INFO =========================
    2020-01-27T15:13:07.234Z [ 5392: 5396] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T15:13:07.234Z [ 5392: 5396] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO =========================
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Set process security...
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Initialising module...
    2020-01-27T15:13:18.140Z [ 5392: 6620] [v6.1.356.0] INFO Shutting down before expiry of startup delay
    2020-01-27T15:13:18.141Z [ 5392: 6620] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-28T07:58:35.971Z [ 5304: 5308] [v6.1.356.0] INFO =========================
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO =========================
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Set process security...
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Initialising module...
    2020-01-28T07:58:50.922Z [ 5304: 6592] [v6.1.356.0] INFO Shutting down before expiry of startup delay
    2020-01-28T07:58:50.923Z [ 5304: 6592] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-28T08:05:23.676Z [13024:11896] [v6.1.356.0] INFO =========================
    2020-01-28T08:05:23.676Z [13024:11896] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-28T08:05:23.676Z [13024:11896] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-28T08:05:23.677Z [13024:11896] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-28T08:05:23.677Z [13024:11896] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-28T08:05:23.677Z [13024:11896] [v6.1.356.0] INFO =========================
    2020-01-28T08:05:23.677Z [13024:11896] [v6.1.356.0] INFO Set process security...
    2020-01-28T08:05:23.677Z [13024:11896] [v6.1.356.0] INFO Initialising module...
    2020-01-28T08:05:23.824Z [13024:13728] [v6.1.356.0] INFO Started update [13736]: "C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe" -ManualUpdate -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate\"
    2020-01-28T08:06:36.475Z [13024:13728] [v6.1.356.0] INFO Finished update [13736]: exit 0
    2020-01-28T08:10:24.650Z [13024:13612] [v6.1.356.0] INFO Startup delay expired; ready for first update
    2020-01-28T08:23:48.132Z [13024:13612] [v6.1.356.0] INFO Scheduler thread is exiting
    2020-01-28T08:24:15.499Z [ 5292: 5296] [v6.1.356.0] INFO =========================
    2020-01-28T08:24:15.499Z [ 5292: 5296] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-28T08:24:15.499Z [ 5292: 5296] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO =========================
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Set process security...
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Initialising module...
    2020-01-28T08:24:33.329Z [ 5292: 6924] [v6.1.356.0] INFO Shutting down before expiry of startup delay
    2020-01-28T08:24:33.329Z [ 5292: 6924] [v6.1.356.0] INFO Scheduler thread is exiting

  • Hi  

    When you try to start the service manually, is there any event generated, could you please check under event logs. Also, could you please run this command and paste the results over here. 

    REG QUERY HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s /f SOPHOS

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • There is no error, but I find it odd looking at these 4 service starts followed by the service stopping.

    Note: The message: "Shutting down before expiry of startup delay", suggests that the service has stopped within 5 minutes of startup as 5 mins is the default startup delay.

    =====
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T13:59:36.197Z [ 5340: 5344] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO =========================
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Set process security...
    2020-01-27T13:59:36.198Z [ 5340: 5344] [v6.1.356.0] INFO Initialising module...

    2020-01-27T13:59:54.930Z [ 5340: 6968] [v6.1.356.0] INFO Shutting down before expiry of startup delay

    18 seconds after starting, the service is stopped

     

    Example 2:

    =====

    2020-01-27T15:13:07.234Z [ 5392: 5396] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-27T15:13:07.234Z [ 5392: 5396] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO =========================
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Set process security...
    2020-01-27T15:13:07.235Z [ 5392: 5396] [v6.1.356.0] INFO Initialising module...

    2020-01-27T15:13:18.140Z [ 5392: 6620] [v6.1.356.0] INFO Shutting down before expiry of startup delay

    11 seconds after starting, the service is stopped

    =====

    Example 3

    =====

    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO =========================
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Set process security...
    2020-01-28T07:58:35.972Z [ 5304: 5308] [v6.1.356.0] INFO Initialising module...

    2020-01-28T07:58:50.922Z [ 5304: 6592] [v6.1.356.0] INFO Shutting down before expiry of startup delay

    25 seconds after starting, the service is stopped

    =====

    2020-01-28T08:24:15.499Z [ 5292: 5296] [v6.1.356.0] INFO Sophos Update Service is starting.
    2020-01-28T08:24:15.499Z [ 5292: 5296] [v6.1.356.0] INFO AutoUpdate version : 6.1.356.0
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO susvc version : 6.1.356.0
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Build : 20190830114005-95a0922451e171e9dc54e46773bc3633f4b6b20b
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO =========================
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Set process security...
    2020-01-28T08:24:15.500Z [ 5292: 5296] [v6.1.356.0] INFO Initialising module...

    2020-01-28T08:24:33.329Z [ 5292: 6924] [v6.1.356.0] INFO Shutting down before expiry of startup delay

    18 seconds after starting it's stopped.

    ======

    It would be interesting to correlate the computer starting up with these logs.  For example, the service could start on update if the AutoUpdate component updates itself which isn't very often and from the log provided it's all the same version in these logs.

    So I have to assume that the computer has started up, the Sophos AutoUpdate service has started but then, 18, 11, 25 and 18 seconds later the service has stopped.  The AutoUpdate service is an auto-start service, so as part of the startup I believe a process is stopping it, maybe a startup script.

    I would probably gather a Process Monitor boot trace of the computer to see what processes/scripts get executed when the service is stopped. You should see a process exit event for alsvc.exe as a way of seeing when the service stops.  The problem should be between the Process Start for alsvc.exe and the process exit.

    Regards,

    Jak

  • Hello  

    Have you also had the chance to look into Event Viewer logs that might pinpoint the reason why the AU service would stop even if it has been set to Delayed Start?

    Would be interesting to know if there are any errors there.

  • Hi  , i checked the script (for the automatic installation) and i founded the reason of the stopping service, at the begining, it was net stop "Sophos AutoUpdate Service"

    Because when we migrate all computers (2 years ago) during the migration of our system to central, we need to stop it. After the migration, this script not change because it's installing automatically the Sophos Enpoint. I cleaned the script and i'm sure it will be solved now! 

     

     

    Seems Ok now!