Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 10 subscribers
  • Views 18411 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not connecting to Sophos Central; Can't Uninstall due to Tamper Protection

S Carter

I have a computer that Sophos was installed on, but it has never reported to Sophos Central (not listed when I search, I even got the computers unique ID and put that into the 'https://cloud.sophos.com/manage/devices/computers/UNIQUE_id_HERE/summary'  URL, but it only shows a blank page. )

I checked the logs at \programdata\sophos\management communication system\endpoint\logs\, and the logs show some warnings like the below, but that's from the 14th so it is like sophos isn't trying to check in?

2019-12-14T20:54:12.833Z [ 3732] WARN  The flags file 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\centralFlags.json' could not be opened.

 

Anyone know what else I should check?  I tried to uninstall to just reinstall and hope that would fix it, but i can't get around tamper protection as there is no entry to provide a password. 



This thread was automatically locked due to age.
  • +1 in reply to mmacwan

    Hi  

    After you recover the tamper protection password, could you please follow the below steps and see if it works for you. 

    1. Stop the Sophos MCS Client service and Sophos MCS Agent Service
    2. Go to path C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist and delete the files with Credentials, EndpointIdentity.txt and those with the .xml extension
    3. Restart the Sophos MCS agent service

    After performing above steps, machine should reflect on the Sophos Central dashboard. 

  • 0 in reply to Shweta

    Hi Shweta

    I actually followed the steps to recover the TP password and this is the thing that didn't work. Any other ideas how i can do this?

  • 0 in reply to mmacwan

    Hi  

    That seems a bit strange, I just wanted to confirm that you are following the steps listed for Sophos central? What is the OS on which you are trying to perform these steps? You may check on Sophos central dashboard with the below steps to see if the machine name is listed under recover tamper protection password list 

    1. Go to Logs & Reports.
    2. In Reports, under Endpoint & Server Protection, click Recover Tamper Protection passwords.
      You see a list of deleted devices.
    3. Find the device you want.
    4. In the Password(s) column, click View details.
      This shows you the password (and previous passwords).
  • 0 in reply to Shweta

    Hi Shweta

    I followed the steps from the link you sent me which didn't work for this machine

    The OS is Windows 10 1809

    I also looked on the Central Dashboard and i don't see this machine listed at all, hence other than following the steps to disable the tamper protection you sent I can't manage this machine at all

    This machine last checked into the server (this is from the actual device information) at the end of November. It is receiving its updates but just won't appear in the central dashboard

    Initially i thought it might have got deleted by accident but i can't see it in the Logs

    I have tried to uninstall and reinstall but can't do this either. Any other ideas? Do i need to log a support ticket for this?

     

  • 0 in reply to mmacwan

    Hi  

    If the endpoint is updating fine, would you please check from Endpoint self help> Update, the updating location which it refers to is correct? You can verify the same with the working machine(which is updating fine and reflecting on the central dashboard). Also please verify the iconn.cfg file under the path C:\ProgramData\Sophos\AutoUpdate\Config on both (working and no working machine) which should be the same. If this does not help, I would suggest you create a case with support to investigate this further. 

  • 0 in reply to Shweta

    Hi Shweta


    They are both the same. I will log a support ticket. I will try and post this whole feed in too so hopefully it will make sense

    Thanks

  • 0 in reply to mmacwan

    Hi  

    Please PM me the case number once you have registered the case with support so that I can look into it.

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?