Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have at least 20% of the computers on my network now reporting "Some Sophos services are not running/missing"
This was not the case 2 weeks ago, and invariably it is "Sophos System Protection Service is not started".
This involves a visit to that computer, pushing the user out of the way, running "Services" as administrator, which then involves typing the admin password under a user's nose.
I am sure this is not how Sophos Central is meant to work. It is highly inconvenient, and at worst liable for a security breach.
How do I start these services remotely ?
I could log in through Remote Desktop, but this would Log Out the User
Hi SJW. I am not a Sophos employee so I offer no guarantee on this, but I found this works for some issues:
Hope this helps.
In reply to K_M:
Regarding viewing/changing services remotely, you can do the following:
Open Computer Management (compmgmt.msc)In the window that opens, right-click on 'Computer Management (Local Computer)' and choose 'Connect to another computer'.Type the name of the computer you wish to connect to and click OK.Please note that the PC must be on and you will need admin rights to modify services.
Works a treat, thanks
This is ridiculous! I went with Sophos cloud because I have many PCs that are remote. I can't have these services not starting every time there is Windows update! I have no way of manually starting services unless I remote into their machines. This needs to be fixed!! I can't believe you can't do this from Sophos Central!!
In reply to Paul Deane:
Which services are stopped?
Are they timing out when starting?
Which services are missing?
Are those that are present but not started set to automatic or has that been modified somehow?
Is it a false alarm by the Health Service?
With Tamper Protection enabled and therefore the majority of services protected it's unlikely to be end users stopping them.
I can only think that Health service is either too eager to report stopped services maybe at shutdown or some other churn but to understand that we'd need to see the Health log file: C:\ProgramData\Sophos\Health\Logs\Health.log.
For example, if I just stop the Heartbeat service, in the Health log I see:EventPublisher::PostServiceEvent Posting service stopped event: f7b3bb39-c9cc-483b-9458-2ffa7e5cd4b2 Sophos Heartbeat
If the services are missing/stopped at a time when it's expected, the log would have something like:INFO ServiceCheckLogic::CalculateResult Ignored service check results: during update grace period
I can understand that being remote it's not possible to tell right now without seeing the computer but it should be possible to understand why for any given event the alert is generated given the logs.
I agree that it would be nice to have a Start/Restart service option from Central but then that wouldn't be great if you had to do it every day. I think finding the underlying cause given an example is worth the time.
In reply to jak:
It's always the same service. Sophos System Protection Service. It happened after the last windows update, and again this current update. The service has to be started manually, or in most cases another reboot will have the same effect.
I would suspect that the service is probably timing out on start-up. Do you see any Event ID 7000 / 7009 in the System event log from the Service Control Manager for the SPP service? Essentially this problem/workaround applies:
The other thing to check is the SSP log file on these problem computers:
\ProgramData\Sophos\Sophos System Protection\Logs\ssp.log
You should see the log lines:I 20/09/2016 12:38:57 Process startingI 20/09/2016 12:38:57 Service start requestedI 20/09/2016 12:38:57 Sophos System Protection 126.96.36.199
I 22/09/2016 03:09:33 Process startingI 22/09/2016 03:09:33 Service start requestedI 22/09/2016 03:09:35 Sophos System Protection 188.8.131.52
It would be interesting to look at the times between the "Service start requested" and the "Sophos System Protection 184.108.40.206" line.
It should be up to 4 seconds I would guess when all is well, maybe long on occasions up to the 30 seconds default timeout?
On cases where it fails to start you will not have the the line: "Sophos System Protection 220.127.116.11".
On problem computers, I guess it wouldn't hurt to increase the default service timeout of the computer to 1 minute just to see if it helps.
This might at least explain the problem and something to bring to support as I would suggest SSP service should handle service startup better.
I'm seeing the same across my estate! I'm finding the Sophos Agent very fickle....the overhead for ensuring agents are in a healthy state is far too big! This is made worse by not having the ability to fix issues on endpoints via the console...the console doesn't even tell you what major version the agent is running so i suppose it is a big ask!
In reply to Jay Parmar:
Are you finding the same as Paul that the SSP service is stopped?
If so, do you see event log entries that it has timed out starting?
The services which are stopped do vary...sophos anti-virus, sophos device control service....sophos web intelligence service is the one is see most! SSP also crops up now and again!
I've even got machines which state that they have not reported back in more than 2 weeks, however, the endpoint is healthy and all services are running on the machine...including the mcs agent.
Sorry for my delayed response. For me yes it is the SSP service every time. Looking at the event log I see that it gives the error below which is a timeout.
Log Name: System
Source: Service Control Manager
Date: 10/11/2017 5:54:27 PM
Event ID: 7000
Task Category: None
The sophossps service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
BTW - I cannot change the start up type to Automatic (Delayed) I get permission denied.
This has been an ongoing problem with the client, you'll never get Sophos to actually address it outside of "oh, go start the service." The real issue is why this keeps happening over and over and over, meaning the machines are not fully protected. It's an unacceptable situation for security software. I guarantee any Sophos employee who responds in this thread acts as though this is an isolated issue rather than ongoing problem with their client. In our case the services are actually missing and can't be restarted. The refusal by Sophos to acknowledge such a serious problem is cause enough for us to deeply regret going with Sophos.
In reply to David Laufnick:
Totally agree with you David! Endpoints need a lot of nursing to ensure they are fully protected.
We have just signed a 3 year agreement and thinking if it was the right product to go with!
I am to the point of cancelling this after my contract is up. This is not acceptable. PERIOD.