One or more Sophos Services is missing or not running

Are these:

1) installations that were fine in the past, i.e all services present and in good health? 

2) new installations that may never have been fully installed?

If you look a handful of computers, what service are missing, and what services are stopped?

Regards,
Jak

Hello Jak,

Yes, they were fine in the past. The services were in good health. Suddenly, we get an alert that the services are not running. Ridiculous! 

If a software can't be stable for a long time, what kind of protection does it proffer? For the botched installation, we just re-install. 

Its the problem with the "good" PCs turning "bad" with no obvious reason. Duh!

Sophos Device Encryption

Sophos AV

Sophos Web Intelligence

SophosScanD

Sophos EncryptionD

You name it!!! These are not consistent. That's the issue. Multiple services stop running on multiple days on the same PC. Its a nightmare resolving the tickets!!!

Thanks for that.  I'm aware of the "Sophos Device Encryption" sometimes not starting at startup.  This is being investigated, I gather there was a link to it from another post.  E.g. https://community.sophos.com/products/sophos-central/f/sophos-central/95050/device-encryption-service-randomly-not-starting-stopping-on-multiple-endpoints-since-last-week-s-outages 

I wonder if it would help to get a bit more info on the various services as the details regarding the services are rather buried behind clicks and hard to get a summary.

I've created the following Powershell script to call the APIs that feed the Central UI to grab service info.  I've uploaded it as a .txt but you can rename it to .ps1.

The idea being you run it:

powershell ./SophosCloudReport.ps1 -ExecutionPolicy Bypass

It will then prompt for the username and password of a Central account - it cant have 2FA enabled on the account though.

Sophos Cloud username?: email@domain.com
password?: *************
Servers or User devices? Enter S or U: u
Offset Start: 0
Limit: 50
User devices selected
Offset in API call: 0
offsetStart = 0
9 devices exported to UserDevices-Offset0.csv

The resultant CSV file can then be opened in Excel to see what's going on, where:

0 = OK
1 = Stopped
2 = Missing
empty I guess is the service is not applicable to the endpoint.

Maybe pivot tables could help consolidate but even sorting the columns would offer some sort of overview.

The APIs only allow 50 records to be pulled before changing offset but as it's filtered down to just machines in bad health, hopefully 50 is enough!

I've not focused on making the service list generic from the data, so it's just a starting point and for Windows only.

If you clear the "device id", "device name" and "last logged on user" columns maybe you could share the output?

Hope it helps.

Regards,
Jak

2553.SophosCloudReport.txt

Hey JAK,

I've downloaded the script already. Where do you want me to run it? On a Server? Endpoint? I don't have access to the servers, only endpoints as of now. 

I'll have to take help if the other teams to get that run on a server. Let me know if it can be run on an endpoint.

Any computer with access to the internet :) It gathers the data from Sophos Central.  Thanks.

Thanks! But, how do I get around the 2FA problem? Am in a corporate env. and 2FA is set by default. I can't make any changes regarding that.

Hi Yashpal,

Please have a look at our KB regarding Sophos Central: Alerts for missing/stopped services for Windows computers 

For Macs, please have a look at this post.

As explained in the article, there were several of fixes implemented regarding this (you can find the details in the kb). However if the problems persist after following the KBs and ensuring the machines are up -to-date and a reboot took place (when needed) , I would recommend you file a case with support for further investigation. 

Regards,

Other than creating an account temporarily without 2FA I don't know how to call the APIs. It can be removed after running the script but if you don't have control I guess the scripted approach is out.

The other option, is to just copy the JSON response from the Developer Tools of the browser and then parse it.  For example, in Chrome, Hit F12 to start the Dev Tools.

Navigate to the Computers list under "Endpoint Protection", i.e
https://central.sophos.com/manage/endpoint/devices/computers/all/computers

Put a filter in the Dev Tools for:
health_status=3
as shown in the screenshot:

Change the filter to "Computers with a bad status" and you should get a response of JSON you can copy out as shown in the screenshot.

If you paste all of this into a file called: "C:\computer_bad_status.json" and then create the PS file (parsestatus.ps1) with the below code:
 1300.parsestatus.txt

... when you run it:
powershell ./parsestatus.ps1
you will get an output such as:

DESKTOP-JJ6MU8P - Last User: WEBCTimed - RegisteredAt: 2017-04-25T13:58:13.289Z - OS: Windows 10 Enterprise
================================================================================================================================
Stopped: HitmanPro Alert service

DESKTOP-OTT4D80 - Last User: DESKTOP-OTT4D80\test - RegisteredAt: 2018-05-03T10:19:18.188Z - OS: Windows 10 Pro
================================================================================================================================
Stopped: Sophos Web Intelligence Filter Service

DESKTOP-TPASM62 - Last User: DESKTOP-TPASM62\test- RegisteredAt: 2018-04-05T15:09:11.522Z - OS: Windows 10 Enterprise
================================================================================================================================
Stopped: Sophos AutoUpdate Service

SCREEN - Last User: Screen - RegisteredAt: 2014-06-19T12:49:02.318Z - OS: Windows 7 Ultimate N Service Pack 1
================================================================================================================================
Stopped: Sophos Clean Service

UNINSTALLFAIL - Last User: UNINSTALLFAIL\test- RegisteredAt: 2018-03-21T14:20:05.646Z - OS: Windows 10 Enterprise
================================================================================================================================
Stopped: Sophos Device Control Service

If you change in the script:
$missing = $false
$stopped = $true

To 
$missing = $true
$stopped = $true

it will show both missing and stopped for example but maybe start with just stopped which is the default.

Hope it helps create a summary.

Regards,
Jak

Hello JAK,

I followed the steps mentioned in the article. 

It doesn't give me anything in the output. 

It looks like you're on the Devices page at the top level, i.e.
https://cloud.sophos.com/manage/bulk-computers

That only pulls a really small subset of info about all computers, which is why you can quickly search and sort as all the data is local.

You need to go to the list view:
https://cloud.sophos.com/manage/endpoint/devices/computers/all/computers

to get the API data we need for the report.

Regards,
Jak

Hello JAK,

Am not sure what you are talking about. All I do, is login into Sophos Central, Click on the "instance" and go to devices as shown below. That'll give me the entire list of device for that instance. From the list, I'd select the bad computers.

Click on "Endpoint Protection" in the menu as shown, then you can click on the "Computers" link which will take you to:
https://central.sophos.com/manage/endpoint/devices/computers/all/computers
Then you can choose the "Computers with a bad status" filter.

Click on "Endpoint Protection" in the menu as shown, then you can click on the "Computers" link which will take you to:
https://central.sophos.com/manage/endpoint/devices/computers/all/computers
Then you can choose the "Computers with a bad status" filter.

Hi jak,

I still have over a hundred devices which are showing as One or more Sophos services are missing or not running. I've got machines which go back to the beginning of June.

The article below states that this issue was resolved in Core Agent 2.0.2, Sophos Intercept X 2.0.2 which all my affected devices are on:

https://community.sophos.com/kb/en-us/127758

Please can you advise?

Thanks,

  Jay

Can you given an example problematic service? Maybe pick one client to work with and given the logs I will be able to tell you why.  From there maybe it's a common issue.