sophos clients win7 no internet this AM feb 5

No one has replied back to this in 18 days and we still have the problem, so i will just let you know what i discovered this AM. Finally had some time to look into it.

I just noticed this morning that sophos has silently updated the KB article to include information about a file. specifically, "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml"

In this file, it seems to be the crux of the problem. if enabled is set to "true" and connection tracking is also set to "true" the problem exists.

This file is extremely locked down. Even with all sophos services disabled and not starting, the file is not able to be edited. You can ONLY edit the file in pure safemode, not safemode with networking. Since new fresh imaged clients do not have this issue, I think it might be partially fixed. So to remediate i am doing the following:

1) First make sure that sophos "Detect network traffic to command and control servers" is disabled on sophos central (under endpoint -> policies -> Threat Protection -> base policy threat protection -> settings)

2) restart machine into safe mode. Enable all sophos service setting most to automatic and just the "Sophos Device Control Service" to "demand" or "manual"

3) navigate to "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml" and edit it. set both true statements to false (the first true statement seems to populate from the web page, whereas the connection tracking true statement seems to return to true no matter what(after reboot))

4) reboot the machine. With those settings set to false (albiet temporarily in the case of connection tracking, which gets reset to TRUE) the machine will boot fine and sophos will be working, minus this command and control tracking framework.

I have only done two tests so i may revise this, but this is how it worked for me this AM. requires manually touching every machine as a process called "sophoos_ui.exe" locks the XML file so that it cannot be changed remotely. Sucky. Put the below into a batch file to undo and fix what I had originally done as a work around. When the directory opens at the end, use a text editor to edit the policy.xml file as i specified above.

sc config "Sophos clean service" start= auto
sc config "savservice" start= auto

sc config "SAVAdminService" start= auto
sc config "Sophos AutoUpdate Service" start= auto

sc config "Sophos Clean Service" start= auto

sc config "Sophos Device Control Service" start= demand

sc config "Sophos File Scanner Service" start= auto

sc config "Sophos Health Service" start= auto

sc config "Sophos MCS Agent" start= auto

sc config "Sophos MCS Client" start= auto

sc config "Sophos Safestore Service" start= auto

sc config "Sophos System Protection Service" start= auto

sc config "Sophos Web Control Service" start= auto

sc config "swi_service" start= auto
sc config "swi_update_64" start= auto

sc config "SntpService" start= auto

explorer "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\"

No one has replied back to this in 18 days and we still have the problem, so i will just let you know what i discovered this AM. Finally had some time to look into it.

I just noticed this morning that sophos has silently updated the KB article to include information about a file. specifically, "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml"

In this file, it seems to be the crux of the problem. if enabled is set to "true" and connection tracking is also set to "true" the problem exists.

This file is extremely locked down. Even with all sophos services disabled and not starting, the file is not able to be edited. You can ONLY edit the file in pure safemode, not safemode with networking. Since new fresh imaged clients do not have this issue, I think it might be partially fixed. So to remediate i am doing the following:

1) First make sure that sophos "Detect network traffic to command and control servers" is disabled on sophos central (under endpoint -> policies -> Threat Protection -> base policy threat protection -> settings)

2) restart machine into safe mode. Enable all sophos service setting most to automatic and just the "Sophos Device Control Service" to "demand" or "manual"

3) navigate to "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml" and edit it. set both true statements to false (the first true statement seems to populate from the web page, whereas the connection tracking true statement seems to return to true no matter what(after reboot))

4) reboot the machine. With those settings set to false (albiet temporarily in the case of connection tracking, which gets reset to TRUE) the machine will boot fine and sophos will be working, minus this command and control tracking framework.

I have only done two tests so i may revise this, but this is how it worked for me this AM. requires manually touching every machine as a process called "sophoos_ui.exe" locks the XML file so that it cannot be changed remotely. Sucky. Put the below into a batch file to undo and fix what I had originally done as a work around. When the directory opens at the end, use a text editor to edit the policy.xml file as i specified above.

sc config "Sophos clean service" start= auto
sc config "savservice" start= auto

sc config "SAVAdminService" start= auto
sc config "Sophos AutoUpdate Service" start= auto

sc config "Sophos Clean Service" start= auto

sc config "Sophos Device Control Service" start= demand

sc config "Sophos File Scanner Service" start= auto

sc config "Sophos Health Service" start= auto

sc config "Sophos MCS Agent" start= auto

sc config "Sophos MCS Client" start= auto

sc config "Sophos Safestore Service" start= auto

sc config "Sophos System Protection Service" start= auto

sc config "Sophos Web Control Service" start= auto

sc config "swi_service" start= auto
sc config "swi_update_64" start= auto

sc config "SntpService" start= auto

explorer "c:\ProgramData\Sophos\Sophos Network Threat Protection\Config\"