Installation of beta Endpoint needs several reboots and impacts applications

Hi all,

 

we take part in the EDR beta as this is the only way to put user information from Sophos Central to XG firewall with newest SFOS 17.5.

Unfortunately the deployment of the beta Endpoint needs more than one reboot on every machine. Some needed 3 reboots. Problem is that the users don't see this except when they open the Endpoint application from SysTray and that the pending reboots heavily impact applications on the computers. Users weren't able to work properly with these applications and got several error messages.

We never had issues with updates to the Endpoint but this is a real problem. I hope it only needs one reboot without impact to the running system when it becomes public.

 

Regards, Jelle

  • Hi Jelle,

    Just trying to better understand the situation here.  For the endpoints you are testing from were these already running the Sophos Central Endpoint and Intercept X?  I gather you are saying after you enrolled your endpoints into the Early Access Program new software was deployed and you were asked to reboot multiple times?  Can you give some detail in terms of when you were seeing this as well?  I know we have updated the endpoint a few times as of late, I'm wondering if you had added some endpoints to the EAP performed initial reboots, then due to new software being deployed due to Sophos making an update this gives the appearance another reboot was required when the reality is it was more related to new software being available.   I can say for sure we are have been updating the endpoint software for EAP customers more much more frequently then we typically would so I do suspect that is part of the problem here.

    Thanks,

     

    Kevin

  • In reply to Kevin Kingston:

    Hi Kevin,

    thanks for looking into this.

    All endpoints were already running Sophos Central Endpoint and Intercept X. All endpoints should have had the latest official version installed. Didn't check that but all systems are auto updated.

    After adding a few endpoints to the EAP the software on these was updated with Core Agent 2.2.1 Beta and Endpoint Advanced, I think 10.8.3 Beta. Not sure because Core Agent updated to 2.2.2 Beta in the meantime and I don't know if Endpoint Advanced also got an update.

    The installation of the beta software required a reboot (reported by Sophos software) and at this point some applications started to behave strange. Some had errors. So I instructed the affected people to reboot their endpoints, but most of them still had issues. So I took a look at the endpoints and saw they / Sophos still neded a reboot. So the endpoint was rebooted again.

    Some endpoints needed at least one more reboot until everything worked as expected and Sophos software wasn't requesting a reboot.

    As far as I can see no update was provided by Sophos during this process as this was all happening during a few hours.

    The real problem is not that it required more than one reboot but that applications were heavily impacted.

    Does this answer your questions?

    Thanks,

  • In reply to Jelle:

    Thanks Jelle, 

    I guess what would also be helpful is if you could give some details on what applications started to behave strangely, you also mentiond some errors, can you detail errors you were seeing?  You mentioned after rebooting some were still having issues, again can you maybe describe those issues?

    Cheers,

    Kevin

     

  • In reply to Kevin Kingston:

    Hi Kevin,

     

    Sorry to return lately. About the reboots: Some had to reboot after Sophos Endpoint update and after the reboot Sophos Endpoint needed another reboot and then another one. I never saw this before but they definitely were asked to reboot up to 3 times. The problems with the applications were the same until Sophos Endpoint was finally up to date.

    Difficult to explain what happened to the applications. It was mainly our ERP software which was not working correctly. It seems it were database connection problems throwing errors in the application. So the application tried to read from or write to the database which didn't work properly.

    Sophos Endpoint didn't put anything about this in the logfiles like exploit detection etc. It just didn't work.