3CX DLL-Sideloading attack: What you need to know
We have an issue where PCs are losing connection to Sophos Central and it shows them as not checking in any longer. Sophos is still running on the endpoints and updating. Sophos support is saying there is DNS issues that are causing machines to not be able to connect.
We have it happening as follows:
Both Servers and PCs
It is happening in multiple domains
We have multiple sub estates
We have multiple Sophos tenants
Both servers in the cloud and on prem
PCs both on prem and remote
Anyone else seeing this?
what is your firewall solution on that company site?
We use Fortigates as an enterprise solution, but this is also happening for people who are working remotely not behind our firewalls.
ok, remote workers should not be affected as long as you do not VPN all their traffic behind your internal firewall.
There is to know that Sophos uses a huge list of FQDN that are contacted frquently and that need to be resolved.
Qoosh gave you all the information that you need to check You need to disable Tamper protection to get the local logs from MCS..
search for logs not getting code 200
but 504 sometimes may not indicate a real error. that is a lost known issue
https://community.sophos.com/intercept-x-endpoint/f/discussions/123998/504-8001-mcs-client-intermittently-timing-out-connecting-to-mcs-push-server-eu-central-1-prod-hydra-sophos-com
Also check the windows event log / Application.