Some Sophos services are not running/missing

I have at least 20% of the computers on my network now reporting "Some Sophos services are not running/missing"

This was not the case 2 weeks ago, and invariably it is "Sophos System Protection Service is not started".

This involves a visit to that computer, pushing the user out of the way, running "Services" as administrator, which then involves typing the admin password under a user's nose.

I am sure this is not how Sophos Central is meant to work. It is highly inconvenient, and at worst liable for a security breach.

How do I start these services remotely ?

I could log in through Remote Desktop, but this would Log Out the User

  • In reply to B_B:

    Seen that one, and Network Threat Protection.


    Jak is obviously extremely knowledgeable and I'm sure there's a technical fix for all these different instances, but the point is that it shouldn't be such hard work to keep this product in good shape.

  • In reply to Mark Pimperton1:

    I agree about Jak.  My issues are with sophos as a whole.  I understand there are bad builds and bugs in software, but these issues have been happening for over 4 months now.  How long does it take to fix?

  • We Migrated close to 500 Clients, However around 10 % Had this Error.

    We then fixed doing a remote connect to Services.msc of affected Computers. However It seems to not resolve on the  Multiple computers.

    2 Major issues we are facing now

    1. One or More Services are Missing 


    Any Thoughts ?

  • In reply to skyisbluescreen:

    For the Device Control service not starting with that error this might help:

    It is dependant on the Sophos Anti-Virus service but from the service list I can see that that is started.  I can only perhaps assume that running:
    sc query savonaccess 
    will show that the on-access driver is not running?

    The Sophos Web Intelligence service can be added back by:


  • In reply to jak:

    Another Windows Update, another week of fixing this issue.  ARGH!!

  • In reply to David Laufnick:

    Well SO Many Roll Outs so Very Often.. You Work on the Previous Bugs and there is a New Update knocking with its own Bag of Bugs...

  • In reply to skyisbluescreen:

    Here is just a fraction of some of the "bad" agents status I have at the moment...

    What is going on with this product? This is madness. I've literally spent hours fixing these things and they break all over again. 


    Missing Services:


    Reporting Malware Incorrectly 


    Completely not responding anymore (Have about 4 of these, need to be completely uninstalled and reinstalled)



  • In reply to LRB:

    It is now past 11/18, the date a Sophos tech told me the new endpoint that fixed these issues would be out.  

    At this point it's clear this product is a failure and Sophos has no clue what they are doing.  Is this a beta product sold to customers as a functional system??  I've never seen a security product fail so consistently and have the company play games about the cause.  Even their diagnostic tool crashes 60% of the time.  It's a joke.  


    Time to take this up to management and let them know we need to dump the hot mess of Sophos immediately.  We can't continue to have unprotected machines on this scale, it's ridiculous.

  • In reply to David Laufnick:

    I was told after the first of the year.  This product was created and sold to schools and colleges where they only half-cared about what was going on.  Then the Magic Quad happened and everyone jumped on.  


    I say this because of the alerting.  I do not know of any IT group that does not want to be informed when the AV is blocking something.  Sophos's response was there is nothing for the end-user to do so it is informational.  Honestly I don't care if there is or not.  I care that I spend hours troubleshooting a program to find out Sophos blocked it and didn't send an email and considered it an informational event.  

    The next thing I have to rant about is the only sending 1 email per event type.  If I get 1 email saying Intercept-X triggered I am "I need to get on and take a look when I get back from lunch"  If I get 30 of them I am "Get the axe and cut the fiber" if you know what I mean.  


    They need to let us decide what is important to us, instead of putting us in the college and school level of reporting.

  • In reply to B_B:

    Same SAD Story here too.

    End of November more Hitmanpro services stopped and refuse to restart. which makes sophos>>>>USELESS.  Multiple PC reboots through-out the ORG.

    Endless emails about bla bla bla not running...., reboots, uninstall/reinstalls, promises, empty responses from support.

    Links that take you to KB's that are not for Sophos Central but Sophos Enterprise.

    On and on it goes.....spinning around in circles as we Beta test their software FOR THEM.

    As others have mentioned, we don't have time to send you multiple logs again and again. Looking through Reg entires...deleting and/or adding keys to try and make your product behave.

    And then its mentioned to reboot TEN times and record the results to see how many times crap fails to start.....HAHAHAHA. Thats a good JOKE.

    Are you kidding me?? Who has time to do this?? SOPHOS...REBOOT YOUR OWN PC 100 TIMES.......this is your JOB.


    We are ONLY 4 months into a 3yr TERM. 

    An Enterprise would be foolish to entertain the idea that this product is your FIRST defence against Ransomware.


    We are NOT entertaining this much longer.... I can assure you. We will cut our loses before they become larger than life with Ransomware scares.

     ALSO.....THE "ANSWER" SUPPLIED ONLY ANSWERS HOW TO CONNECT TO REGISTRY REMOTELY. Nothing to do with the myriad of problems this software has.

  • In reply to Howiedog:


    We will have to wait for few more months for fix acording to this info from here:


    We are aware of the disruption this can cause for customers who have affected endpoints. Sophos is investigating the underlying causes of the issue and all scenarios that can lead to the issue arising. Once we have all causes identified we can complete the work to address the issue.  We expect to be able to release an update during calendar Q1 2018 (January to March). We will publish an update to this KBA as soon as the investigation is concluded. 

    Some instances of services reported as missing are caused by an operation that an endpoint uses to shutdown. When services are missing and you know that an endpoint has been shut down these messages can be disregarded.




  • In reply to KingRolo:

    Six more months of unprotected machines?  Ridiculous!  I'm taking this to management to see if we can get our money back.  Sophos is a joke.  

  • In reply to David Laufnick:

    Lets us know how that goes, as we are also going to entertain Returning this so called software for A FULL REFUND WITH DAMAGES.

    Well..maybe not the damages part....but I DO want my Money Back.


    Fed up with this Company already.


  • In reply to Howiedog:

    I had the same issues, 

    fyi I have 1000 desktops and servers. almost all the issues had disappeared when we installed the latest microsoft patches.