Sophos Central Endpoint: Remotely fixing "Failed to Protect Computer" or "Missing Services"

Does anyone have any experience in remotely fixing computers that are reporting to Sophos Central with an alert of "Failed to Protect Computer" or showing a bad status with "Services Missing or not Running"? When I say remotely, these are computers spread across many customer sites (schools), and in most cases they are domain based computers, and we do have admin access to on-site servers, so i am hoping that it might be possible to do something with scripting and group policy. I'm thinking that I might be able to script the steps in this article Sophos Central: Sophos Endpoint Self Help - Services for the missing services, and script a "re-install" for computers where absolutely no services are listed following an initial attempt at installation. The product we are installing is Intercept X Advanced. By the way, does anyone know where there is an official list of the services that should be present and running for the Sophos Intercept X Advanced product for Windows endpoints? 

Anyway, any practical advice from the community will be greatly appreciated.

Services that I think are the ones we should see for Sophos Intercept X Example of what we see for some computers - lots of "old" services?


Edited TAGs
[edited by: Gladys at 4:23 AM (GMT -8) on 19 Dec 2022]
Parents
  • Hi Russell,
    The first thing you'll need to do is get the AutoUpdate Service running - https://support.sophos.com/support/s/article/KB-000038308?language=en_US. Just getting this sorted may fix all the problems, however, if that is not the case move onto the article you mentioned in your post and the section on Service is Missing.

    As the MCS Service looks to be running you should be able to turn off Tamper Protection.

    Do you have XDR? I used Live Response yesterday to remotely fix a device that had the same services listed as missing. 90 minutes later the device is showing as green in Central and all fixed. I need to do both tasks above on this particualar workstation. I've never needed to script the fix but guess it is possble using the two articles.

    Best of luck.

    Andy.

Reply
  • Hi Russell,
    The first thing you'll need to do is get the AutoUpdate Service running - https://support.sophos.com/support/s/article/KB-000038308?language=en_US. Just getting this sorted may fix all the problems, however, if that is not the case move onto the article you mentioned in your post and the section on Service is Missing.

    As the MCS Service looks to be running you should be able to turn off Tamper Protection.

    Do you have XDR? I used Live Response yesterday to remotely fix a device that had the same services listed as missing. 90 minutes later the device is showing as green in Central and all fixed. I need to do both tasks above on this particualar workstation. I've never needed to script the fix but guess it is possble using the two articles.

    Best of luck.

    Andy.

Children
  • Hi Andy,

    Thanks for the reply and the really helpful and practical information. I have done some investigation on a computer I have remote access to that is showing a bad status (missing HitmanPro Alert Service) and I can see the Autoupdate Service is missing, as well as the HitmanPro service, when I check in the Windows Services console (services.msc). This service is present and running on computers with a good status, even though the Autoupdate Service no longer seems to be a service that is listed on the status tab for devices with a good status in Sophos Central. So, getting the Autoupdate service installed and running certainly seems to be the first step, as you suggest.

    Unfortunately, I don't have XDR, so I don't have that ability to remotely fix computers. Hence the idea of using scripts in conjunction with group policy where I can.

    Once again, thanks for your insights. It has got me moving in the right direction I think.

    Kind regards,

    Russell