Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 11 subscribers
  • Views 40247 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"We're checking that this computer is now safe"

Kirk Lewis

Noticed that one of the machines we have is stating the message on the Sophos UI 

"We're checking that this computer is now safe. Please contact your IT administrator"

Anybody know what Sophos is actually doing here? There was no indication of a threat or malicious file found on the machine recently. Nothing stated in Sophos Central Admin Console

Recently updated to Core 2.1.2 with Endpoint Advanced 10.8.2 and Intercept X 2.0.8

The message has been there for several hours at this point



This thread was automatically locked due to age.
  • 0

    Hi Kirk Lewis,

    Are you seeing any Events on the endpoint/Central  related to isolation?
    Can you provide a screenshot of the "We're checking..." message, as well as the Events ?

    If yes to the above, I recommend that you  file a case with Support including a copy of the  SDU logs, as well as the screenshots so that they can further investigate.

    Regards,

  • 0 in reply to Barb@Sophos

     

    Currently looking into the SDU logs option for sophos. I have been curious to know if anyone else out there has encountered this and what it might mean. 

  • 0 in reply to Kirk Lewis

    It seems to me as a bit of a catch all.

    C:\Program Files\Sophos\Sophos UI\en-us.json

    Has it down as the internal names:

    "status.health.title.generic-red": "We're checking that this computer is now safe",
    "status.health.title.generic-yellow": "We're checking that this computer is now safe",

    I see you have it as yellow.  I had it once as Red due to a failed cleanup event.  Hitting the resolve link in the Events list solved it for me.

    I can only suggest looking down the list of Events for warnings and see if you find any which aren't resolved.

    Thanks,

    Jak

  • 0

    Hi Kirk Lewis,

    Just a quick follow up on this thread, do you still see the alert in the client?

    It could mean that the Json file in clean has been cleared but the alert in the centre might have not been acknowledged. Can you check if there are any pending alerts in central for this specific client?

  • 0 in reply to Gowtham Mani

    After reviewing the "yellow triangle" medium events, I show two from 2/10/18. The thing is, this system has since received numerous updates and been restarted for those to be applied. I've attached the pictures to show this. This system is showing "all green" in Central console and in Sophos Endpoint Self Help. There isn't an option to click on the event for any further options. Maybe have to reinstall protection to reset this?

     

  • +1 in reply to Kirk Lewis

    That's interesting, those 2 components no longer exist as their own component. 

    TBH I would suggest just disabling tamper protection.  Stopping the Health service, rename C:\ProgramData\Sophos\Health\Event Store\Database\events.db and starting the Health service.


    Regards,
    Jak

  • 0 in reply to jak

    Thank you! This helped to clear the message, as it appears it somehow never updated correctly all those months.

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?