Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 14 subscribers
  • Views 13043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos System Protection Service not started

yeowkm

i have a number of machines whereby this Sophos System Protection Service stopped suddenly.

i have to restart the service manually.



This thread was automatically locked due to age.
  • 0

    Hello yeowkm,

    Please have a look at this article:
    Sophos Central: Alerts for missing/stopped services for Windows computers

    Article "A Service is reported as Stopped" contains troubleshooting steps.

    If using a server, please see this article instead 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • 0

    Is there anything in the event log to suggest it timed out starting?

    Did it crash and fail to restart?

    Regards,
    Jak

  • 0 in reply to jak

    this is from windows event log.

     

    The Sophos System Protection Service service terminated unexpectedly. It has done this 4 time(s).

     

     

    Event xmlns="schemas.microsoft.com/.../event">
    - <System>
      <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
      <EventID Qualifiers="49152">7034</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2018-08-04T09:28:23.063999300Z" />
      <EventRecordID>221215</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="191312" />
      <Channel>System</Channel>
      <Computer>TMSYS.GVM.LOCAL</Computer>
      <Security />
      </System>
    - <EventData>
      <Data Name="param1">Sophos System Protection Service</Data>
      <Data Name="param2">4</Data>
      </EventData>
      </Event>
  • 0 in reply to yeowkm

    Ahh, that's interesting and at least the cause of why it's stopped.

    In that case I would probably try and obtain a dump of the crash and submit it to Support.

    E.g  

    1. Create dir C:\dumps\

    2. Download procdump to this same directory.  https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 

    3. In an admin prompt run:
    procdump -ma -i C:\dumps

    Next time it crashes you should have dumps under C:\dumps\

    Note: You can run "procdump -u" to "uninstall/unregister" procdump.

    SSP does a few things.  One thing it does is collect data for RCAs. This can be toggled in the threat protection policy.

    It might be worth disabling RCA for a test computer this is happening on and see if disabling that helps.  

    It would be worth getting the dumps first though but maybe you can prevent it crashing with a config change which would also be useful information.

    Regards,
    Jak

  • 0 in reply to jak

    SSP dont crashed if i disable RCA.

    it happens that the few machines with this symptoms uses the same set of software.

  • 0 in reply to yeowkm

    OK, good to know.  I think other than getting a couple of dumps to Sophos and the logs, there isn't much more you can do at this point but at least you can keep the service running by disabling the feature in the short term.

    RCA is really an elaborate reporting mechanism, so at least your not removing a detection mechanism.

    Reards,
    Jak

Unfiltered HTML