Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 11661 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lost access to start or stop Sophos services on all machines

Nick Cuddemi

Hello all,

 

I noticed this morning all Sophos services start, stop or restart options are greyed out and when attempting to change the properties, are met with an "Access denied" error.

This happens on any PC we have Sophos Central deployed on including my local PC.


I was able to start/stop services yesterday for multiple PC's as I got warnings that they had stopped, but that is no longer the case.

 

Any info on what might of caused this would be greatly apprecaited

 

Thank you

 

-Nick



This thread was automatically locked due to age.
  • +1

    Hello Nick,

    AFAIK Tamper Protection is enabled by default in Central and this results in the "symptoms" you describe. Can't say why you have been able yesterday.

    Christian

  • 0 in reply to QC

    Hello QC,

     

    We orignally had Tamper Protection disabled but a standard non admin user was able to adjust any settings, such as turning protection off, so we had to enable tamper protection again to prevent this.

    I get multiple emails daily about services stopping on machines, so I wrote a script to enable them (Sophos will sometimes, but other times the service will stay stopped for hours).

    I've done this consistently until this morning, so I am not sure why it worked in the past either if having tamper protection on is suppose to disable this feature.

     

    We would be fine with having tamper protection off if standard users weren't able to go in and turn parts of Sophos on or off without being a local admin, so we're forced to have it on.

     

    Having to get the key from Central, disable tamper protection, then restart the service and enable tamper protection again is the solution then if Sophos won't restart the service?

     

    Thank you

  • 0 in reply to QC

    Just to confirm, I disabled tamper protection globally and went to a user to test.

    He is able to change any of the settings under "Settings" from Sophos.

    He can disable perpherial control for up to 4 hours or anything else that is enabled.

    He is not a local admin

     

    When going into Global Settings > Tamper Protection from Central it says 

    "Tamper protection ensures that users with local administrator rights can't uninstall Sophos Central Endpoint software or change settings."

     

    This is not just applying to local admins, but to everyone.

     

    Edit:

     

    Also tested the ability to start/stop Sophos services with Tamper Protection disabled and I am still getting access denied errors.

     

    Edit2:

     

    Spoke to support, this is functioning as intended.

    If Tamper Protection is disabled, non local admins have the ability to override policies for up to 4 hours.

    If Tamper Protection is enabled, you need a password to disable it on the physical machine, or you can have Central disable from the Web portal, but you lose the ability to remotely start/stop services.

    If a service stops with Tamper Protection enabled and you aren't able to get to the physical machine, you need to disable it via Central, wait for it to apply, restart the service(s) and enable Tamper Protection again.

     

    Thank you

     

    -Nick

Unfiltered HTML