windows agent reporting services not running yet central shows OK

windows agent reports services not running yet central shows OK

core 2.5.4 beta

Windows 10 64 1909

Parents Reply Children
  • Hi both,

    Ideally if you can provide an SDU (https://community.sophos.com/kb/en-us/33533) that will help the team troubleshoot.

    Questions:

    When did you join the EAP?

    Please can you advise which Services the Endpoint is reporting an issue with?

    Do you have the same issue on all endpoints in the EAP or only some?

    Does leaving the EAP resolve the issue?

    Regards,

    Stephen

  • I uploaded an sdu through central itself at same time as reporting this here yesterday.  d2fc5548-d616-d451-a813-3e4640b743e8_2020-01-01-21-17-09.zip

     

    Joined the eap back in november.

     

    Oddly, that's part of the issue, no services appear to be offline that aren't supposed to be online.

  • Thank you, i have the logs and we will investigate this for you. Are you able to answer the following:

    Please can you advise which Services the Endpoint is reporting an issue with?

    Do you have the same issue on all endpoints in the EAP or only some?

    Does leaving the EAP resolve the issue?

    Regards,

    Stephen

  • Endpoint Self Help (ESH) uses its own data to determine what services should be present based on a feature list gathered from the SophosUpdate.log file.

    Sophos Health, the component that evaluates the EP for the purposes of showing the Health in Sophos UI maintains the status under the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

    I would suggest, export/screenshot the above key so we can see which services/processes are not as expected. 

    The Health log file will also detail the problem:

    %ProgramData%\Sophos\Health\Logs\Health.log

    Regards,
    Jak

     

  • I'm not seeing this on all, currently only 1 device which happens to be a laptop.  But I'm only testing on a small handful so far.  Luckily I'm not suffering the wifi issue others are.

     

    Here's screenshot of registry.  health.log attached

     Health.log

    As for which services, that's just it, as mentioned earlier and as you can note in my previous screenshots, the sophos client status shows error complaining of services not running, but when I run sdu, everything seems green

     

    I haven't removed device from eap yet in case development needed something else from it in this pseudo broken state.

  • All seems to be OK at first glance.

    From the Health log, the times when services have been reported as problematic outside of a grace period are a while back and as follows:

     

    2019-08-19T13:20:34.896Z [ 6604] INFO EventPublisher::PostServiceEvent Posting service stopped event: c56bcfbc-711a-41f5-8005-2f2e3db1c316 Sophos Network Threat Protection

    2019-10-25T03:35:05.446Z [ 6084] INFO EventPublisher::PostServiceEvent Posting service stopped event: dd806a0a-2150-49ac-9716-6a5af8c3c82e Sophos Device Control Service
    2019-10-25T19:27:38.707Z [ 5648] INFO EventPublisher::PostServiceEvent Posting service stopped event: ce294ae9-e5ca-4466-b499-7eb20a33958d Sophos Device Control Service

    2019-10-27T04:09:40.760Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: 231bb612-9785-46fc-b01c-e1d30dc62ee4 HitmanPro.Alert service
    2019-10-27T04:09:40.760Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: ac32b6bf-c80c-4c49-a625-ec6f53b7032a Sophos Clean Service
    2019-10-27T04:09:40.776Z [ 7860] INFO EventPublisher::PostServiceEvent Posting service stopped event: d3434a0f-6c9f-404c-93cf-12dae5949f22 Sophos Safestore Service

    2019-11-05T05:39:10.242Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 4176a2b6-186c-41b7-9d72-8b674d128b2e HitmanPro.Alert service
    2019-11-05T05:39:10.321Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 891a4cd5-ccbd-4576-89b5-98fae8863730 Sophos Anti-Virus
    2019-11-05T05:39:10.383Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 6556090a-a2ba-4f8a-9f54-4a411f7d0ac4 Sophos Clean Service
    2019-11-05T05:39:10.461Z [ 7264] INFO EventPublisher::PostServiceEvent Posting service stopped event: 6b37ff5d-1dca-4dd3-a047-5e1a3230bfbc Sophos Safestore Service

    For reference, these events will also be stored in json files under:
    %ProgramData%\Sophos\Health\Event Store\Trail\

     

    I can't see all of the service names from the registry screenshot but all the ones listed are showing the service to be running (0). The Health service is responsible for keeping that up to date.  If the Health service itself isn't running you get a different state shown in the UI.

    I can only see only 2 "service.Sophos E...", which of these 3 are the 2 you have:

    • service.Sophos EDR Agent
    • service.Sophos Endpoint Defense
    • service.Sophos Endpoint Defense Service

    I have to assume you don't have EDR Agent, as the other 2 are part of the same component but maybe that's the issue?

    It might be worth checking the "IsRunning" values for each of the "ProcessNotification" items under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\ProcessNotification

    Given the feature list, health expects:

    2020-01-02T01:30:09.161Z [ 5904] INFO  ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CONNECT CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD 

    No: DISKENCRYPTION or MDR features but you have CONNECT which I'm not familiar with but it was added at this time:

    2019-10-20T15:15:42.778Z [ 5872] INFO ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD
    2019-10-20T15:20:13.422Z [ 5872] INFO ServiceCheck::Run SAU Policy Features have changed: APPCNTRL AV CLEAN CONNECT CORE DLP DVCCNTRL EFW HBT NTP SAV SDU WEBCNTRL XPD

    I assume this list is mirrored in the Features reg value under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\PolicyFeatures?

    You can always stop the Health service, delete/rename the SQLite Events.db under %ProgramData%\Sophos\Health\Event Store\Database\ to reset the state but it would be interesting to know why the state is as it is.

    Quite odd, no real idea from what you have added.

    Jak