Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Some Sophos services are not running/missing

I have at least 20% of the computers on my network now reporting "Some Sophos services are not running/missing"

This was not the case 2 weeks ago, and invariably it is "Sophos System Protection Service is not started".

This involves a visit to that computer, pushing the user out of the way, running "Services" as administrator, which then involves typing the admin password under a user's nose.

I am sure this is not how Sophos Central is meant to work. It is highly inconvenient, and at worst liable for a security breach.

How do I start these services remotely ?

I could log in through Remote Desktop, but this would Log Out the User

  • In reply to Royce Robinson:

    After doing that has this fixed?
    So we deploy a Group Policy to set this to Delayed?

  • Its definitely been better... however, there Encryption service not running problem is going on 2 months now. Should have been fixed by now.


  • In reply to Ben Mirano:

    It should be with you if you have: 1.4.103 or later of the Device Encryption component.

    If your "Sophos Device Encryption Service" service is set to "Automatic (Delayed Start)" and you haven't manually configured it that way you should have the updated version.


  • In reply to David Laufnick:

    I Also suffered with this problem week ago and also i open support ticket also and they connect remote to fix problem sum PCs can fix with restarting auto-update service and some pcs installing manually auto update client. and finally I assume I found solution for this problem.That is installing dotnet framework 4.7.1 and operating system service pack 1(All endpoints problem identified with windows 7 operating system)So I installed SP1 and install Dotnet Framework 4.7.1 (latest) then problem was fixed for me.After that never got sophos services got down.     

  • Hay SJW,


    In the last weeks I have had several'faulty' services. Mainly Win 10 1803 was installed on the host systems. The errors always occurred after the installation of Windows updates (mostly cumulative).
    In general I could observe with the customers that after the installation of the updates the'extended' protection functions of the Win-Defender were activated. As soon as I deactivated it, e.g. the File Scanner service could start again correctly.
    In another case, the Clean Service stopped after a Win update. Massive application errors and application crashes were logged in the event log. Everything with Win error codes. Here it helped to uninstall Intercept X via Central, restart the client, wait briefly and then reinstall it via Central Intercept X.

    I find it interesting that some customers with TrendMicro also had various problems with the'extended' protection functions of the Win-Defender.

    If you need help, write me and I will try to help.

    Best regards,


  • In reply to DirkLehmann-Valentin:

    there's no way to generalize this whole issues into one solution. 

    some say win defender, some say you can delete that cache directory and warehouse, some people surprisingly were able to restart the service. 

    its almost 2019 and we are sick of this issue, now it's happening on my SERVERS!



    here's exactly how its -edited- up!

    sophos clients ( server version or endpoint ) stop talking to cloud and right of the bat some services stop working.

    the tamper protection crap itself and can't be disabled. 

    also tamper password doesn't work either. doesn't matter if you try it 100 times, it just wont work and wont go to admin setting menu.


    if that STUPID old trick in which you deleted warehouse directory and cache, etc, work for you you might be lucky otherwise you are so so so so screwed!!!!!!!!!!!!!

    your system is deeply locked down in a way that all the permissions are ruined and you can't delete a single file from that directory, you can't restart services, 

    you can't use tamper, you can't update the endpoint, you can't do anything!!!! ANYTHING!!!!!!!!!!!!!!!!!!!!


    so to fix this, 

    they provided 1 solution so far, and believe it or not its absolutely NUTTTSSS

    going to safemode, typing -edited-loads of key to get thought bitlocker, removing tons of registry and stopping services. then booting normally and REINSTALLING the software.

    WHY on earth would I reinstall it when you couldn't handle it the first time?


    do you even understand critical business service/process? you want me to take down the server because you -edited- up the system!??? what makes you think that this won't happen again? and again? 


    get a grip! support your customers and provide a decent solution. 




  • In reply to arjjj:

    Hi arjjj ,

    I am really sorry to hear about the issues that you are experiencing. You are correct, not all scenarios are the same, thus we will need further information to assist in specific cases.
    As a generic approach, I would recommend looking at these:
    Sophos Central: Alerts for missing/stopped services for Windows computers

    Sophos Endpoint Self Help - Services

    Do you have a support case open? If so, please send me a message with its number so that we can better assist you. 

    Otherwise, I strongly recommend opening a support case for investigation -and please send me the number for a follow-up).

    Regarding Tamper Protection, if you end up in a situation in which you have lost access to Central, you can stop tamper protection following this article: (this is to be used in cases where, no matter what, you cannot get Tamper Protection to disable via the conventional ways).  
    Sophos Endpoint Defense - How to recover a tamper protected system 

    Please, if you have more specific info regarding your issue, let us know, otherwise, let me know your ticket numbers so that we can provide better assistance.

    Thank you.

  • For those wondering about dealing with the service issues remotely... I've had a lot of errors with the "Network Threat Protection" service, among others.  I've had good luck starting it remotely via powershell (invoke-command -scriptblock {start-service "Sophos Network Threat Protection"} -computername <target>) as well as using the Set-Recovery function found here:  From  Running the Set-Recovery function against the sntpservice will have it restart every time it fails.  I've had to do this to a number of other services as well, but sntp is the most common.

  • In reply to Steve Custer:

    What version of NTP are these computers running?

    1.5?, 1.6, 1.7, 1.8?



  • In reply to jak:

    I don't recall - never really paid attention since it does this all the time.  We only rolled from the old on-prem Sophos client to Central within the past two months, so that should give you an idea.  

  • In reply to Steve Custer:

    Do you get a message in the event log at startup that the SNTP Service service timed out?

  • Dear Sophos Team,


    This issue has happened at almost every single place where we implemented the endpoint. Please give us a permanent solution. Every other day some or other service goes down and central admin is full of high alerts.

  • In reply to Kandarp Desai1:

    Hi Kandarp Desai1,

    I recommend that you take a look at my previous post, here's the relevant info: 

    As a generic approach, please check these out:
    Sophos Central: Alerts for missing/stopped services for Windows computers

    Sophos Endpoint Self Help - Services

    If issues persist, we recommend opening a support case for investigation. Once you do that, please send me a private message with the ticket number so that we can follow-up .

    Thank you! 

  • In reply to Barb@Sophos:

    Hi Barb,


    Thanks for your response, but what i meant to say is to improve the product itself because in a large deployment say about 2000 clients this issue occurs so frequently that it just ends up as a criminal waste of time trying to restore the services. We can put that time to better use if Sophos services did not keep stopping or going randomly.


  • In reply to Kandarp Desai1:

    Hi Kandarp Desai1,

    Understood about large environments and time constraints. I think the best thing to do is open a case with support, as they can help you analyze the root cause of these messages (if my above listed post doesn't help) , in order to prevent them from happening in the future / applying a solution that works for your specific environment.

    Thank you!