Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 9 subscribers
  • Views 3300 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When Endpoint updates, Heartbeat stops for a few minutes

Paul Digby

In the last couple of weeks, have seen a few times a message is received to advise that an Endpoint is not sending a Heartbeat.

 

On investigation, found each time it happens when an update occurs. Its not the same computer, its not each and every time. To get a feeling, their are 10 Endpoints and has happened three times in the last few weeks. Using InterceptX and Endpoint Advanced

 

Anybody else noticing this?



This thread was automatically locked due to age.
Parents
  • 0

    I can't say I've seen anything of the sort. My guess is that when we are updating, depending on what gets updated we might stop some services & as such communication isn't working as intended. 

    Where it's somewhat erratic, my feeling is that it is due to us restarting services, however I can't say for certain. If you can provide logs from %programdata%\sophos\heartbeat\logs

    From a recent PC, I can see if anything shows up?

  • 0 in reply to Rintendo

    I have looked at the log myself and can determine and confirm again, that it was after (or during) an update. The message was actually received at 10:58 The below shows that an update took place and shows only 45 seconds between Heartbeat stopping and re-starting.

    However, in the Event Log for the device within Central, it says Heartbeat stopped at 11:00 and resumed at 11:05. I dare say that's how long it took to update the product. Really, just wanted to report it in case this is not meant to happen. Ideally, that would be the case. As I say, its not everytime.

     

    I can see in the log from %programdata%\sophos\heartbeat\logs

    2018-11-26T10:48:56.296Z [2552:2800] - Starting Heartbeat version 1.6.196
    2018-11-26T11:02:15.980Z [2552:2800] - Stopped Heartbeat
    2018-11-26T11:02:55.367Z [3320:6152] - Starting Heartbeat version 1.7.529.0

  • +1 in reply to Paul Digby

    Hi Paul,

     

    This is expected behavior.We can see the version was 1.6.196 and then was upgraded to 1.7.529.0. We'd have stopped the service in-between that to perform the upgrade.

     

    I think that solves this mystery here :)

Reply Children
  • 0 in reply to Rintendo

    But not consistent. I am glad it does not report this every single update on every computer!

  • 0 in reply to Rintendo

    Its not answered really. That maybe what happens, however, when lateral movement is enabled and Self Isolation is enabled and rules enabled detecting Heartbeat status, the client will not be able to do anything.

    This morning one customer switched on his computer and was 5 minutes between heartbeat stopped and started. There was no indication that any update had been done at that time. This is happening too often, started 2-3 weeks ago and never before. Something not right

Unfiltered HTML