This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy non-compliance: Network Threat Protection

So suddenly overnight we now have 20+ endpoints that are all reporting "Policy non-compliance:  Network Threat Protection" and the NTP service is showing as not running on all those.  Anyone else see this or have some insight as to why this would suddenly happen?

I'll need to look into it a bit further, but the only change I know of is we pushed out Windows 10 1803 to a bunch of computers last night.



This thread was automatically locked due to age.
Parents
  • It definitely seems to be related to the 1803 push, as all the ones that are showing up in the Central console with the Network Threat Protection service stopped are all ones that got the push.  It was our first big push (200+ endpoints), and I'm noticing a few other older alerts that were ones that got 1803 earlier as part of testing.  Can't manually start the NTP service, it immediately gives a "Error 1053: The service did not respond to the start or control request in a timely fashion."

    Reinstalling Sophos Endpoint Protection does fix it, but I really don't want to have to reinstall on 30+ machines right now.  There's got to be a better way to fix this.

  • I came across this which may help: https://community.sophos.com/kb/en-us/126957

    May not also but ya never know

    Respectfully, 

     

    Badrobot

     

Reply Children
  • I had seen that article, too.  On one endpoint that I looked at, that BFE service was already there and running and I manually did the Visual C++ thing and nothing happened.  NTP Service wasn't running and wouldn't start from the services console.

  • There is also some here: https://community.sophos.com/products/sophos-central/f/sophos-central/96303/some-sophos-services-are-not-running-missing/375025

     

    Basically running procmon during an installation to see why it does not start or for some error that might point to the answer.

    Respectfully, 

     

    Badrobot

     

  • Cheers!  I'll check that out next week.  I also put in a ticket with Sophos Support, as we are scheduled to do another bit 1803 push next week, but now we might want to hold off if we're going to end up with 30+ more having this issue.

  • I get it, even to uninstall and reinstall would be a pain, I have seen a few scripts floating around here for uninstalling central but nothing rock solid.

     

    Good Luck to You!

    Respectfully, 

     

    Badrobot

     

  • You may run into issues if you have Tamper Protection enabled and try to uninstall.

    It the device gets removed from Central with Tamper Protection still enabled, you have to boot the computer into Safe Mode and edit registry keys to be able to uninstall Sophos Central at that point.

     

     

    The script for fixing the services not starting still has a manual step involved, you have to disable tamper protection manually from Sophos Central, unless you run with it off then it should work for you without that step.

     

    Could use this function that I have in my PowerShell profile.

     

    function Set-SophosServices {
        param ($Computer)
        Get-Service -ComputerName $Computer -DisplayName "Sophos*" | Where-Object {$_.Status -eq "Stopped"} | Start-Service
    }

     

     

    Command would be as follows:

     

    Set-SophosServices -computer "nameofcomputer"

     

    Usually I get an error for one service, I think it's the web intelligence service, but it all comes up in a minute

  • I disabled tamper protection and tried the script, but still get this error:

     

    Start-Service : Service 'Sophos Network Threat Protection (SntpService)' cannot be started due to the following error:
    Cannot start service SntpService on computer 'CSS039677M'.
    At line:3 char:107
    + ... me "Sophos*" | Where-Object {$_.Status -eq "Stopped"} | Start-Service
    + ~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

  • Josh,

     

    Yes, that is the one service that causes an that error.

    Did the computer have it's services start back up after and report as green in Central after a minute or so?
    I get the same result, but everything runs fine.

  • Nick Cuddemi said:

     

    Did the computer have it's services start back up after and report as green in Central after a minute or so?
    I get the same result, but everything runs fine.

     

     

    Nope, currently sitting with 33 endpoints with a "Policy non-compliance: Network Threat Protection" status alert.  I let them sit over the weekend hoping maybe it would fix itself (as oftentimes happens with Sophos issues), but the same ones are still there.  I have submitted a ticket with Sophos Support, just waiting for them to get back to me.

  • After running the script or even manually starting the services I mean.

     

    I have to check every morning for stopped services.

    I reached out to Sophos about this, and they suggested changing the start from automatic to delayed.

    Also, you won't get emails when they stop as that was changed for alerting back in June or July of 2018.

    I got an email yesterday from them about that as I had stopped receiving alerts, so if you need to check for stopped services, it must be done manually, unless you monitor that with a script/ third party.

     

    Let me know what Sophos says about the issue