Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 12 subscribers
  • Views 8419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Missing registry key at workstation service \ dependency

Mátyás Gruber

Hello guys. I am working on the IT department at a company, and getting this same issue quite recently. I have 20-30 tickets solved with the same issue, but there are more. I was looking for information on the internet about this, and oddly I didn't found anyone having the same problem, which means it might be a company related, network or configuration problem. I am not in a position to having insight of the Sophos Intercept configuration, so can't tell much about it. I am in a position where the users coming with the problems :)

The problem is the following:

1. At various activity the Sophos Intercept blocking something. It's can be an Excel macro, a Java plugin, an SCCM install deployment, can trigger on anything. I didn't found a scheme, and cannot reproduced it by intention.

2. During the next restart a black screen appears with a 8-bit style white text on it: SOPHOS CLEAN, which is there for cca 15 seconds, then booting continues

3. After logging in, the Workstation service cannot be started, because it's lost all of the dependencies from the registry, the registry key simply missing. Since the Workstation service doesn't run, the Netlogon service cannot be started either, so after all no network authentication on the computer.

 

The solution:

1. Adding back the missing registry key (previously imported from a working machine), restart, so workstation service can run, but after this point still no SMB

2. Removing the Microsoft Network Client from the network center - restart - adding it back solving the problem, and the computer is back online

 

However, even if the fix is known, and doesn't take much time, the issue is pretty annoying, as need administrator rights for fixing it, which causing problems at a big company.

I made several SDU logs on several computers, but as far as I understand, there is nothing interesting in it, the blocking event is logged, but since the registry damage happening during the restart with black screen, it's not logged there. At least I didn't see in the log "deleting registry key now"

 

On every computer Windows 7 64-bit Enterprise edition installed. The issue is coming since we introduced Sophos Intercept X.

Core Agent: 11.5.11

Sophos Intercept X: 3.6.10

 

I am not in the situation of being able to install another version, patch, or change configuration. My question is, what do you think about this, are you experienced this before, is it a known issue with a solution maybe?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mátyás Gruber,

    Thanks for the detailed post on issues and the workaround that you have shared.

    I believe each issue that you have highlighted could be due to various factors. I would help our community members if you could share few more details on this.

    1. For intercept X blocking:

    • Are we seeing the same detection or different detections on the clients? Are they specific to any OS/ Product/ application?
    • Are they seen for known/Trusted applications?

    2. Sophos Clean:

    • Is it reoccurring on the same client at some point of later time or is it a one-time event?
    • Do you see any Task list added? Checked for startup scripts or applications?

    3. Workstation service:

    • Are any detections seen prior to this issue?
    • Any entries of Intercept x or other components blocking the service? (Check for event ID 911).

    Also, could you PM the existing/closed cases for these issues so that I can have better insight.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    Hello,

     

    1.

    • It's different detections. I didn't found any scheme what is blocked and why. Wasn't able to reproduce. Usually it's some Java stuff (but not always the same Java stuff) or some Excel macro (but other times same Excel macro doesn't blocked), or some "threat cleaned up".

    • As far as i know they are all known applications. In the Excel macros sometimes there are an opening for an external database source, but usually it's not blocked. Maybe there are some network traffic difference in the background at this times.

    2.

    • So far it didn't happen twice on a computer. (had like 30-40 issues, but all of them on different computer)
    • Didnt't check for startup scripts or applications.

    3. Didn't have any workstation service problem before this blocking, would be visible very fast, as the user cannot access the network anymore if it's happen.

     

    I got a promise from the deployment guys that we will install a fix soonish, maybe it will help. I have SDU logs from this blocks, I can send you them if you think it helps, but maybe the mentioned fix will make it unneccesary.

  • 0 in reply to Mátyás Gruber

    Hi Mátyás Gruber,

    I see that the issue is sporadic and non-recurring on the same devices. May I know if you have any reference case via which you got the confirmation on the fix? can you share the details via PM?

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
No Data
Unfiltered HTML