Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Hi Community,
Below are possible troubleshooting steps (and KB articles for reference) to take when you see an alert in Sophos Central that says "One or more Sophos services are missing or not running" for machines running Sophos Central Endpoint. We will also have recommendations on what information to provide to Sophos Support if none of the suggestions below work or are not applicable.
What does this alert mean?
Services missing or not running usually means that a component has failed to install or update. In some cases, the Operating System or some other third party application may interfere with Sophos services, and would cause the service(s) to not start.
What to do
- Always start with checking if you have installed Sophos on a supported environment:
- Has anything changed in your environment? Make sure your Firewall is allowing access to Sophos update servers: Sophos Central: Domains and ports required for communication to and from Sophos Central Admin and the Sophos Central managed endpoint
- Has the computer been restarted? Some updates may not finish installing and would require a system restart, which results in services missing or not starting.
- Once rebooted, check Sophos Endpoint Self-Help (ESH) for status:
For Mac OS:
- If running OS 10.13 and newer, ensure that you have allowed Sophos Kernel Extensions (KEXTs):
- If the service still would not start: Raise a support case with the following information, at the very least:
For Windows OS:
- If the Sophos AutoUpdate service is not started or is missing, this needs to be resolved first. If this service is not started (or not installed), Updating will not occur and other services will not start.
- Re-create the Autoupdate cache. When Sophos updates, it downloads the update files for all components installed on the endpoint and these are run in some particular order to facilitate the update. If there are files missing, the update could fail and services will be missing/not started.
- If #2 does not work, determine which service is not running or is missing. This is usually an indication that the update has failed because a certain component did not uninstall, and/or install successfully.
- What service is missing/not started?
- Check the install (or uninstall files) files for error codes. Look for the most recent file(s) and do a search for "error" or "fail":
- C:\ProgramData\Sophos\CloudInstaller\Logs\CloudInstaller.log
- Based on which service does not start/missing, review the msi logs, which are called something like Sophos <component> Log_<datetime stamp> Install.log files in
- C:\Windows\Temp
- %LocalAppData%\Temp
- Do a search for "error" or "fail".
- Error 1721
- Error 1920 on Sophos System Protection (SSP) Service install
- Sophos Network Threat Protection (NTP) Service not starting:
- Troubleshooting installation errors using MSI logs
- If the service still would not start: Raise a support case with the following information, at the very least:
Additional suggestions for troubleshooting are welcome. This post may be updated periodically.
Updated disclaimer
[edited by: Qoosh at 10:03 PM (GMT -7) on 31 Mar 2023]
