Device not showing in Sophos central

Hi Guys,

Have an issue with an endpoint now showing up in Sophos, tried running an update but the machine is not showing up.

 

I cannot re-install the agent as tamper protection has gone through already to the device, but because I cannot see it in the portal this cannot be disabled.

 

I have tried booting up with it on power, I have tried running update but no luck.

 

Kind regards

Lee

  • Does the computer have an identity yet?  

    If you look under the 'persist' folder at the client (\programdata\sophos\management communication system\endpoint\persist\ there is an endpointidentity text file which has the unique ID of the endpoint.

    If you look at the Computers view in Central, i.e. https://cloud.sophos.com/manage/devices/computers/all/computers, when you click on a computer, the URL changes to something like:
    https://cloud.sophos.com/manage/devices/computers/fe573325-47a5-f489-aa1e-65776c2158ac/summary: The unique ID part should be the same as the endpoint.  You could just log in and construct the URL as above based on the identity ID at the client if it has one.

    Beyond that, the mcsclient log (\programdata\sophos\management communication system\endpoint\logs\) would be the best place to start looking for errors as it's the mcsclient.exe process that talks to Central.  You should see the registration take place and the http requests.

    Regards,

    Jak

  • HI Lee, 

    Any Update on this issue ?

    Thanks and Regards

    Aditya Patel 

  • I'm having the same issue.  You can't even get to the EndPoint folder because the security permissions are locked down (i.e. access denied to this folder) until you disable tamper protection.  So how are we expected to get these types of issues complete if we can't access anything to do so?

  • Tried this and it worked for me:

    PHASE1:

    To recover a tamper protected system, you must disable Enhanced Tamper Protection.

    Do the following:

         Boot the system into Safe Mode.

        Click Start > Run and type regedit and then click OK.

        Go to the following location in the registry editor:

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004

        Go to the following location in the registry editor:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

        Set the following DWORD values to 0: SAVEnabled and SEDEnabled

        Reboot the system in normal mode.

     Taken from Article 124377

    PHASE 2

    Then I went to uninstall and got an uninstall error so I created a batch file with the following:

    net stop "Sophos Anti-Virus"
    net stop "Sophos AutoUpdate Service"
    :Sophos AutoUpdate
    MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Endpoint)
    MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Server)
    MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
    :Sophos System Protection
    MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
    :Sophos Network Threat Protection
    MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
    :Sophos Health
    MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
    :SDU (1.x)
    MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
    :Heartbeat
    MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
    :Sophos Management Communications System
    MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress

    Run that

    PHASE 3:

    It was still showing up in the Control Panel/Uninstall Programs which prevented installation again.  Run Microsoft's fix it:

    https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed

    Choose Sophos and uninstall. 

  • In reply to Kyle Bigelow:

    HI Kyle,

    Thank you for posting such a detailed steps to remove Endpoint from your Windows system 

    Thanks and Regards

    Aditya Patel| Network and security Engineer.

  • Hi Guys,

    I managed to find the following fi x

     

    1:open services.msc

    2: stop Sophos Anti-Virus

    3: open notepass as admin

    4: open C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml

    5:Find the below and change xxxxxxxxx to E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73

     

    </DeviceControlManager>
    <TamperProtectionManagement><settings>
    <password>xxxxxxxxx</password><enabled>true</enabled></settings>
    </TamperProtectionManagement>

    6: start Sophos Anti-Virus

    7:open sophos and the password will be password