The security health cannot be reported at the moment error

I installed InterceptX onto a computer and i get following error.  "The security health cannot be reported at the moment" in Sophos Central.  Is there a fix for this? 

  • HI Jeff, 

    Sorry to hear the issue you are facing , you share any snaps or logs on this post . For discretion you may also private message me .

    Thanks and Regards

    Aditya Patel 

  • The Sophos Health Service is responsible for creating the registry keys under:
    HKLM\Software\Wow6432node\sophos\Health\Status

    The MCS Agent service reads these to report on the health of the services, so I would suggest:

    1. Check that the Sophos Health service exists and is started.

    2. Check the above registry key.  Does the above key exist but with no values underneath? A working computer could be useful for reference.

    3. Does the adapter registry key exist under:
    HKLM\software\wow6432node\sophos\remote magement system\ManagementAgent\Adapters\SHS 
    and does the DllPath value point to the shsadapter.dll and the file exist in the referenced location.  Again checking a working computer for referecence.  You may also want to check that the shsadapter.dll is loaded in the MCSAgent.exe process.  You can do this with Process Explorer (Sysinternals).

    Maybe use Process Monitor (Sysinternals) to monitor what happens when you start the Sophos Health service in terms of the above key.  Problems writing the values?

    Hope it helps.

    Regards,

    Jak

  • In reply to jak:

    Hi Jak,

    I have one computer in our network where the Healthservice will not start. I followed your suggestion for looking at a computer with no problems as reference, but i cannot find the registry keys you refer to. I do see the same keys under HKLM\software\sophos....

    When i try to start the service on the problem conputer i get an 575 error. All other services are working fine ?

    Besides that it is a little bit strange that the option to stop and start this service is available. On computer with no problems stopping and starting teh service is greyed out.

    Regards,

    Hans.

  • In reply to Hans Prins:

    By any chance was an eSata drive connected to that PC?

  • In reply to Rick DeFilippo:

    i have the same issue after cloning sata hdd to SSD
    The Health service won t start with 575 error !

  • In reply to Fabien DUGUE:

    I have the same problem as well. Sophos Central for one of my devices says The security health cannot be reported at the moment. On the client computer, the Sophos Health Service won't start Error 575. I cannot uninstall or re-install because tamper protection won't allow me to. I disabled Tamper Protection from Central but the command is not reaching the client because it remains enabled. Suggestions?

  • In reply to Dennis Lawrence:

    Hi,

    Here is what i did to solve the issue

    First disable the tamper protection

    1. Boot the system into Safe Mode.
    2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
    3. Click Start Run and type regedit and then click OK.
    4. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agentand set the REG_DWORD Start to 0x00000004
    5. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Configand set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
    6. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtectionand set the REG_DWORD Enabled to 0

    Reboot the system in normal mode.

     

    After that you can reinstalling the sophos endpoint software

    Best regards

  • What worked for me:

    First disable Tamper Protection in Sophos Web Interface. Then make this changes in Safe Mode

     

    1. Boot the system into Safe Mode.
    2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
    3. Click Start Run and type regedit and then click OK.
    4. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agentand set the REG_DWORD Start to 0x00000004
    5. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Configand set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
    6. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtectionand set the REG_DWORD Enabled to 0

     

    After that reinstall Endpoint Protection (uninstall didn't work the first time don't know why)

    Then Uninstall Sophos Endpoint Protection

    Delete the Machine from Sophos Web Interface

    Reboot the Device and install Sophos Endpoint Protection again.

     

    If you may ask why to uninstall it again. I've tried only to reinstall it but after Activating Tamper Protection again the same error occured so i've testet it with uninstalling and deleting the object and after that everything was fine.

    Best regards,

    Alex

  • Can these fixes be built into the installer? Asking us to boot into safe mode every time we have these issues is really annoying.

  • I'm getting this issue on one of our workstations.

    As others have mentioned, it's kind of ridiculous that we should be expected to boot the workstation in to safe mode and modify the Windows registry to fix this issue.

    It's obviously just a bug in Sophos that needs to be addressed.

    Come on guys, this is why we pay the big bucks for Sophos...

  • In reply to Beverly Glen:

    Hi  

    The Sophos Health Service is responsible for creating the registry keys under HKLM\Software\Wow6432node\sophos\Health\Status. The MCS Agent Service reads these keys to report the Health status. This error occurs when there are problems writing the values, for which Process monitor logs will be helpful to monitor what happens when you start Sophos health Service, in terms of the above keys. I would recommend you to open a support case for in-depth investigation. 

  • Sophos needs to fix the issue in their installer. I have found that the issue occurs when you try to install Sophos after the warning of "It is recommended that you reboot your machine before installing..." but ignore it, and install anyways. Sophos should either require a reboot or prevent you from installing, if this issue is going to occur. We didn't realize this until we had 8-9 computers with the service error. What we've found as a way to fix it, without entering safe mode is to run the commands listed in this KB article:

    https://community.sophos.com/kb/en-us/124218

    I did end up scripting this as a batch file and was able to deploy it with PDQ Deploy - group policy wasn't working for us, but other deployment methods should work as long as they run it as admin or as the local service account.

    1. Open an Elevated (Administrative) Command Prompt (Search for cmd.exe or command prompt, right-click, Run as Administrator)
    2. Run the following commands in order:
       fsutil resource setautoreset true c:\
       attrib -r -s -h c:\windows\System32\Config\TxR\*
       del c:\windows\System32\Config\TxR\*
       attrib -r -s -h c:\windows\System32\SMI\Store\Machine\*
       del c:\windows\System32\SMI\Store\Machine\*.tm*
       del c:\windows\System32\SMI\Store\Machine\*.blf
       del c:\windows\System32\SMI\Store\Machine\*.regtrans-ms
    3. Restart the computer

    Batch File:

    Echo On
    fsutil resource setautoreset true c:\
    attrib -r -s -h c:\windows\System32\Config\TxR\*
    echo y | del c:\windows\System32\Config\TxR\*
    attrib -r -s -h c:\windows\System32\SMI\Store\Machine\*
    del c:\windows\System32\SMI\Store\Machine\*.tm*
    del c:\windows\System32\SMI\Store\Machine\*.blf
    del c:\windows\System32\SMI\Store\Machine\*.regtrans-ms
    exit

  • In reply to Jack Beggs:

    The version of Sophos Health in the EAP for new features no longer uses the transactional registry APIs so I guess any problems with the dependency on that working goes away in the future.

    Regards,

    Jak

  • Any update on this, I noticed this error reoccurring on a clients system, then I had the same issue with my laptop.  Looking at our estate there are many systems with the same problem.

  • In reply to McDuck:

    Hi  

    Please have a look at this related post, if it helps.