Issue: Sophos Central Admin – US-West region - Delays with the enforcement of Central policies on managed endpoints.

**Update 9** Root cause analysis KBA has been published: see knowledge base article for the latest.

**Update 8** As part of a routine database maintenance task customers may notice a few intermittent install and policy rendering failures. Please retry before contacting support. 7/17/2017 8:00 AM PST

**UPDATE 7** Some customers may notice a few intermittent install failures, please retry before contacting Sophos Support. 7/14/2017 2:00 PM PST

**UPDATE 6** Installations are being processed normally, service is restored. Please re-download installer from Central. 7/14/2017 9:00 AM PST

**UPDATE 5** Installations are now working as of July 13, 2017 19:00 UTC-5. See knowledge base article for the latest.

**UPDATE 4** New installs likely to still fail. http://centralstatus.sophos.com/#!/ has latest update. 

**UPDATE 3** System is now processing backlogs. Please see last updates here.

**UPDATE 2** Issue is ongoing, apologies. Impacts all areas within Central that rely on MCS communication between client and Central. 7/13/2017 8:00 AM PST

**UPDATE** Development has identified root cause and is working on a fix. 

Hello,

We are seeing delays with policy changes and enforcement in Sophos Central (US-West region) as well as installation failures due to inability of new endpoint installations to initially register. Our engineers are working to restore latency. Please note your endpoints remain protected. Updates will be provided on this thread.

KBA: https://community.sophos.com/kb/en-us/126477

Thank you,

Bob

  • In reply to K_M:

    Yippie...its Monday and Sophos strikes again.

    Got another ALERT....'Troj/Iframe-CG' at '\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\pagefile.sys

    As per Sophos site...ONLY way to remove is MANUALLY.

     

    Yup...thats exactly why I bought Sophos, so I can remove stuff manually. 

     

     

     

     

  • In reply to Howiedog:

    SAV is unable to access locations where windows creates a shadow copy so you'll need to access that location manually.

  • In reply to Sure Win:

    Yup...and this is SOPHOS Website that is Linked from this Trojan, that "trys" to tell us how to remove.

     

    Where is Sophos Central by the way........hmmm nope not there...Brilliant??

    read the Instructions  and what does it say:

    To remove malware from a local computer:

    WINDOWS

    1. From the desktop open the main Sophos Anti-Virus program by double-clicking the Sophos shield. If you are prompted by User Account Control (UAC) to allow the action, select Yes.
    2. Click Manage quarantine items.
    3. In the Quarantine Manager, click the Available actions column header to sort the list of threats according to the action available.
    4. Depending on what is shown in the Available actions column, follow the steps below:

    Ok..you tell me where "Manage Quarantine Items" on a WINDOWS 7 64bit....and I will play this game.

     

  • In reply to Sure Win:

    From Sophos Central Dashboard.....:this Trojan is highlighted within the dashboard.

    Clicking on the hyperlink, it takes me to: https://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Troj~Iframe-CG.aspx

    Then on this page, scroll down......past Windows Logo...."Please follow the instructions for removing Trojans."

    Which in turn takes me to this page:https://community.sophos.com/kb/en-us/112129

     

    Sooo...I guess it is...in a round about way.

  • In reply to Howiedog:

     You're right. This is not correct for Central. The article is meant for Sophos Enterprise Console (ie. on-premise). I'm going to get someone to fix this. Sorry about that. For Central, you will need to do it locally.

  • Sophos Team,

    We are still experiencing issues with the Sophos Central Cloud Console where our machines are failing the updates. When i run the reports we are failing updates with the "failed to install savxp: 80041f19 error.  this error started on July 10th, 2017 or a couple of days before and has been causing mayhem in our environment till this day.  Whatever the developers changed on the backend and in the installation file has been horrible.  The Competitor removal tool you guys introduced was not configured correctly nor should you have included that since it is up to the customers discretion to remove on their own since they paid for their product.

    We are also experiencing issues with Sophos not disabling the tamper protection when it was disabled on the Sophos Central cloud console and the key was inputted into the workstation console.  i am unable to uninstall and reinstall sophos on the machines.  The KB articles that are provided do not help.

    you guys need to wake up get your teams together and fix the issues that are going on.  you guys have a social media presence and your dissatisfied customers can take to the social media platforms and call you out if not done already.  Gartner had put you in the top of the list as one of the best security companies but i dont believe that is true.

     

     

  • Why am I seeing the "One or more Sophos services are missing or not running" error message so often now?  I would really like a reason for this. 

    Is this message accurate? and if so, why are these services 'missing or not running'? I've checked on occasion and services 'appear' to be running.

     

     

     

  • In reply to Lance Bertram:

    I've been dealing with the same alerts for the past three months now. Finally got escalated to the global support team of five people. Short answer, after giving them 5 more SDU logs they can't figure it out but see it has something to do with Tamper Protection. They've passed my problem along to the Dev team two days ago and I've gotten no update.

    I've been sent this KB article three times now about my problem, which it will fix this temporarily. Attaching so you all can facepalm with me on the two options they lay out. (http://sophos.com/kb/121905)

     

    Quote:

    What To Do

    Sophos Anti-Virus version 10.6.3 contains a fix to prevent this issue occurring on subsequent upgrades. However, as this issue can still occur on upgrades to 10.6.2 there are two available options:

    1. Recommended: Using the commands provided below manually correct the issue to enhance protection for your users.  You will be best protected with this option but manual intervention is required.
    2. Accept that web browser protection will be non-functional. Your endpoints will still be protected by all other functions and features of Sophos Anti-Virus - such as on-access and on-demand - except for web browser protection.  We do not recommend this option because you are not best protected.

     

    Thank you Sophos for giving me the options:

    Option A) Continued manual intervention and get over it.

    Option B) Get over it.

  • In reply to Trevor Karppi:

    /facepalm

    I've actually seen this KB before - as I was so very lucky to have rolled out on a version before 10.6.3, which meant that the web control service then started failing on various machines, meaning I had to do a reinstall (which did actually fix the problem, so not sure why that wasn't option 1 in the KB). Fun times!

    However, this KB article is specific to the the web control service on agents installed before 10.6.3 only. It literally has nothing to with the current "one service is missing or not running" error, so I have no idea why support would keep sending you this link. (I am no way surprised that they are though). 

     I just want a fix. 

  • In reply to Lance Bertram:

    Nope it applies to us even though company wide we are on 10.7.3. I can't agree more...

     

    I just want a fix.

  • In reply to Aisha Smith:

    Bud, this is the exact same problem I am experiencing. You will probably find that the policies on each client all have different times/dates, services missing or disabled. Once the Sophos client s h I t s itself, you can neither uninstall or reinstall the product. Nightmare.

  • In reply to Lance Bertram:

    Lance, if you go into services on your Windows machine, you will probably find that the Sophos Antivirus service has disappeared (90% of this issue) - or that all the Sophos services have been set to disabled , but you can't set them to manual or automatic (you get a denied message) even if you are an admin on the box. You can't uninstall as tamper protection is enabled but you can't update the machines policy to disable tamper protection because it won't connect to the cloud to update the policies, which don't work all the well even when all the services are enabled and not missing

  • In reply to Fergieman:

    There is a published article for getting around tamper protection when the machine is offline. Safe mode, couple of registry changes, bam.

     

    But I agree there's definitely pain when the client gets into a bad place and you can neither re-install or uninstall. We gave up working with support and re-imaged.

     

    Also, just took 48 hours for an encryption policy to push to a few machines. We're now reviewing Symantec's end point products. Their end point product may not be great but we've found their support (we use other Symantec products) at least acknowledges when there is a problem. And their Senior Vice President doesn't promise a root cause analysis then never delivers.