Notifycation missing on RED Flag status

Hi All,

We have Sophos Endpoint Protection installed on all our clients and all is managed from the Sophos Cloud. Yesterday one of the clients was automatically updated by Sophos. The update failed and one of the services did no longer run. This caused the client to be RED flagged in the Sophos Cloud. This RED flag led to an automatic isolation of the device. PERFECT! This is exactly the behaviour I want in my organisation.

There was only one thing missing, there was no notifycation of the event send out to the administrators. This made that it took longer then needed to resolve this matter. Now why did we not get this notification? I checked in the Sophos Cloud but all notifycations are enabled and all error/critical errors should bne notified directly, warnings and information notifycations are send once every day.

Please help me understand and resolve this.

Kind regards,
Jeffrey

  • Hi  

    Would you please check under event logs on the central dashboard, what was the update and which service did not start? Alerts that are resolved automatically are not shown. To view all events, go to Logs & Reports > Events.

  • In reply to Shweta:

    Hi  

    The event gave this error "Failed to install savxp: setup error.". But that is not what im worried about. I just want to know why the administrators were not notified of a client device going into isolation. That is the big question here.

  • In reply to JeffreyJaspers:

    Hi  

    There are some event types that will be delayed to give time to attempt automatic remediation steps by the software or prevent alerting prematurely to common event types. This can be the reason that you might have not received the email alert. You can test the email settings if you want to confirm. 

  • In reply to Shweta:

    Hi  

    Altering is setup fine, this all works. The isolation of a client device should always be a critical situation, no matter what the cause is. If the cause is and infection then the administrator should definitly receive a notifycation, but now the Admin just does not get notified if a client device is isolated. That is a very bad property!

    You say that in some cases alerting is delayed due to an automated remediation process, can you share some documentation or KB article where it is explained when this exactly happens?

  • In reply to JeffreyJaspers:

    Hi  

    That is unusual, please check this article for more information.