Policy non-compliance: Network Threat Protection

So suddenly overnight we now have 20+ endpoints that are all reporting "Policy non-compliance:  Network Threat Protection" and the NTP service is showing as not running on all those.  Anyone else see this or have some insight as to why this would suddenly happen?

I'll need to look into it a bit further, but the only change I know of is we pushed out Windows 10 1803 to a bunch of computers last night.

  • I have numerous computers that report that the Network Threat Protection is not running almost daily.

    I have a script to re-enable it, but I have to go into Central each morning to check, then fix the service and it's fine for the rest of the day, until the next morning.

    If you find out a permanent solution, I would love to hear it!

     

    If I find any other information out, I'll reach out.

  • In reply to Nick Cuddemi:

    Any chance you would share that script?  That would be helpful for getting the service running on all these endpoints. 

     

    I am thinking now that it's related to the 1803 push last night, since a lot of the ones I'm seeing would have been included in the group that got the update.

  • In reply to Josh Winter:

    I am on 1803 and did not have the issue, still could be 1803 though, I am using Win 10 Pro not Enterprise.

  • In reply to badrobot:

    We're on Enterprise, but this is one of the most frustrating things about Sophos where we'll have issues that will only affect some of our endpoints.  Perfect example:  our Telecom team has to install software on some PCs for our phone system.  Recently had to install on 2 computers right next to each other.  One of them was fine, the other Sophos flagged it as PUA.  Absolutely nothing different about the 2 computers and both had the same Sophos installed.  For this current issue we've got about 30 endpoints with the NTP service stopped and won't restart but probably have 200+ endpoints with 1803 installed.

  • It definitely seems to be related to the 1803 push, as all the ones that are showing up in the Central console with the Network Threat Protection service stopped are all ones that got the push.  It was our first big push (200+ endpoints), and I'm noticing a few other older alerts that were ones that got 1803 earlier as part of testing.  Can't manually start the NTP service, it immediately gives a "Error 1053: The service did not respond to the start or control request in a timely fashion."

    Reinstalling Sophos Endpoint Protection does fix it, but I really don't want to have to reinstall on 30+ machines right now.  There's got to be a better way to fix this.

  • In reply to Josh Winter:

    I came across this which may help: https://community.sophos.com/kb/en-us/126957

    May not also but ya never know

  • In reply to badrobot:

    I had seen that article, too.  On one endpoint that I looked at, that BFE service was already there and running and I manually did the Visual C++ thing and nothing happened.  NTP Service wasn't running and wouldn't start from the services console.

  • In reply to Josh Winter:

    There is also some here: https://community.sophos.com/products/sophos-central/f/sophos-central/96303/some-sophos-services-are-not-running-missing/375025

     

    Basically running procmon during an installation to see why it does not start or for some error that might point to the answer.

  • In reply to badrobot:

    Cheers!  I'll check that out next week.  I also put in a ticket with Sophos Support, as we are scheduled to do another bit 1803 push next week, but now we might want to hold off if we're going to end up with 30+ more having this issue.

  • In reply to Josh Winter:

    I get it, even to uninstall and reinstall would be a pain, I have seen a few scripts floating around here for uninstalling central but nothing rock solid.

     

    Good Luck to You!

  • In reply to badrobot:

    You may run into issues if you have Tamper Protection enabled and try to uninstall.

    It the device gets removed from Central with Tamper Protection still enabled, you have to boot the computer into Safe Mode and edit registry keys to be able to uninstall Sophos Central at that point.

     

     

    The script for fixing the services not starting still has a manual step involved, you have to disable tamper protection manually from Sophos Central, unless you run with it off then it should work for you without that step.

     

    Could use this function that I have in my PowerShell profile.

     

    function Set-SophosServices {
        param ($Computer)
        Get-Service -ComputerName $Computer -DisplayName "Sophos*" | Where-Object {$_.Status -eq "Stopped"} | Start-Service
    }

     

     

    Command would be as follows:

     

    Set-SophosServices -computer "nameofcomputer"

     

    Usually I get an error for one service, I think it's the web intelligence service, but it all comes up in a minute

  • In reply to Nick Cuddemi:

    I disabled tamper protection and tried the script, but still get this error:

     

    Start-Service : Service 'Sophos Network Threat Protection (SntpService)' cannot be started due to the following error:
    Cannot start service SntpService on computer 'CSS039677M'.
    At line:3 char:107
    + ... me "Sophos*" | Where-Object {$_.Status -eq "Stopped"} | Start-Service
    + ~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

  • In reply to Josh Winter:

    Josh,

     

    Yes, that is the one service that causes an that error.

    Did the computer have it's services start back up after and report as green in Central after a minute or so?
    I get the same result, but everything runs fine.

  • In reply to Nick Cuddemi:

    Nick Cuddemi

     

    Did the computer have it's services start back up after and report as green in Central after a minute or so?
    I get the same result, but everything runs fine.

     

     

    Nope, currently sitting with 33 endpoints with a "Policy non-compliance: Network Threat Protection" status alert.  I let them sit over the weekend hoping maybe it would fix itself (as oftentimes happens with Sophos issues), but the same ones are still there.  I have submitted a ticket with Sophos Support, just waiting for them to get back to me.

  • In reply to Josh Winter:

    After running the script or even manually starting the services I mean.

     

    I have to check every morning for stopped services.

    I reached out to Sophos about this, and they suggested changing the start from automatic to delayed.

    Also, you won't get emails when they stop as that was changed for alerting back in June or July of 2018.

    I got an email yesterday from them about that as I had stopped receiving alerts, so if you need to check for stopped services, it must be done manually, unless you monitor that with a script/ third party.

     

    Let me know what Sophos says about the issue