Real time protection disabled (MAC End points)

All,

I wanted to see if there has been any update on "if the MCS service agent is stops before the other services, it will get a read error and sends the alert."? 

We are using MACs (Catalina, High Sierra & Mojave). I am seeing real time protection disabled on a few machines. The machines have been rebooted on multiple occasions. This does not resolve the issue. 

I have spot checked a few machines, the endpoint agent is also showing "real time protection disabled". How do I resolve this?

I have read thru several different posts on the community, in reference to this same issue. I have not identified anyone posting a resolution to the issue.  

Any help would be greatly appreciated!

Justin 

  • Hello  

    Are there any other events in Sophos Central around the time that the status showed real time protection as disabled? Are all of the other services started? Are all of the Sophos kernel extensions allowed?

    Thanks!

  • In reply to DianneY:

    I am sorry for digging out old topic, but I figured it will be better than starting a new one. I have similar problem. Today I installed agent on mac laptop. At the beginning agent was reporting but I was not able to run all services.

       11:28 AM
    Real time protection disabled
     
        11:20 AM
    Real time protection re-enabled
     
        11:18 AM
    Real time protection disabled
     
         11:13 AM
    Update succeeded
     
         11:12 AM
    Updating failed because no update source has been specified.





    So I followed steps from community.sophos.com/.../134552 and when prompt came out (step 11)  I pressed "Quit Now."

    After this the agent states " Real time protection disabled." Any suggestions ?  

  • In reply to Bartosz Jelen:

    Hi  

    Reboot your machine, if you have not, and also please check out this post, under the Mac OS section.

  • In reply to DianneY:

    ok ill try that, I have also updated my post with more info ( this may help you to better understand my problem ) 

  • In reply to DianneY:

    I had the exact same issue, because the user didn't click Allow to Sophos.

    So by doing this, it worked.

    If the kexts do not load after the above steps, or the prompt to allow the kext does not show, here are the steps to authorize the kext manually.

    1. Boot into macOS Recovery mode.
    2. Open Terminal.
    3. Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774
    4. Reboot the affected Mac.
  • In reply to Francois Brault:

    Thanks for your response,  ! This may help other users who do not see the "Allow" button. This is also the next step if Allowing Disk Access in OS X Catalina does not help get all service started.