New to Endpoint please help

Hi Jamie Newman1 

Would you please check under services.msc which Sophos service is not running? Also, please check under the central dashboard, you should be able to view the status of the machine on the dashboard as well. Kindly check this link as well, and see if it helps you to resolve the issue. 

Hey thank for the reply!

So upon looking at Services it would seem that Sophos Web Intelligence update has a blank status?

Thanks

Jamie

Have you tried clicking the Start Link?

Yes tried that just now but this message appears

Hello Jamie,

that's perfectly normal. The service is expected to be in the stopped state (blank). When it's started it checks if there's an update to Web Intelligence, applies it if there is one, and stops afterwards.

Christian

That makes sense thank you, so its only active when its running updates

Cheers

But if that is okay then why is it still saying services are not running? Is this due to XP/Winserver 2003 not being supported?

Hello Jamie,

XP/Winserver 2003? You've lost me, where do these come into play?

I'm not a Central user, while I'm familiar with the WI Updater I don't know which services are supposed to run on Central Server. Might be wrong but I assume there should be one called Sophos File Integrity Monitoring. The event from 23/12/2019 says it has been stopped and it's not (perhaps no longer) among the services listed. Guess that counts as not running. Can't say what could have happened to it.

Christian

Hello Jamie Newman1 

If you have a XP/2003 Extended Support license then you should be OK, and Sophos should install/update accordingly. If you are not sure if you have Extended Support, you should be able to check this in Sophos Central under Licensing, or please contact your Sophos Partner to confirm.

If you have Extended Support, run the Diagnostic tool to see what other service(s) are not running. Click on "Run Diagnostic Tool" from the Sophos UI > About screen:

You should also check out this link that Shweta sent, there are steps that could solve the issue you are having.

Hello Jamie Newman1 

If you have a XP/2003 Extended Support license then you should be OK, and Sophos should install/update accordingly. If you are not sure if you have Extended Support, you should be able to check this in Sophos Central under Licensing, or please contact your Sophos Partner to confirm.

If you have Extended Support, run the Diagnostic tool to see what other service(s) are not running. Click on "Run Diagnostic Tool" from the Sophos UI > About screen:

You should also check out this link that Shweta sent, there are steps that could solve the issue you are having.

I have carried out the steps from Shweta and still no change?

Hello Jamie Newman1 

That event is old. Please send a screenshot of the screen after clicking on "Run Diagnostic Tool" and go under Services. 

You can also look at the System tab there to see if there are any pending reboots, which could potentially resolve the issue as well.

No seen that tab yet thanks!

23/12/19 is probably about the time the Ransomware came in, everything was encrypted post Christmas break

https://community.sophos.com/kb/en-us/132846#How%20do%20I%20install%20Sophos%20File%20Integrity%20Monitoring?

I followed this step to no result in CMD

Hello Jamie Newman1 

Can you please look into the install logs for Sophos File Integrity Monitoring? It could be failing to install for some reason that is why the service is "missing" and could not start.

The logs are in C:Windows\Temp, and look for the most recent Sophos File Integrity Monitoring setup log<timestamp>.txt and Sophos File Integrity Monitoring install log<timestamp>.txt files.

See if you can find strings such as "Error" (which should eventually show an error code), or "Failed" (should also tell what failed, etc.).

This is what I found

Hello Jamie Newman1 

Okay thanks, Can you also please find the most recent Sophos File Integrity Monitoring install log<timestamp>.txt file also in C:\Windows\Temp?

Thanks!

I did check this but I found no errors but here is the text.

=== Verbose logging started: 06/01/2020 08:29:56 Build type: SHIP UNICODE 5.00.7601.00 Calling process: C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe ===
MSI (c) (44:F8) [08:29:56:455]: Cloaking enabled.
MSI (c) (44:F8) [08:29:56:455]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (44:F8) [08:29:56:455]: End dialog not enabled
MSI (c) (44:F8) [08:29:56:471]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi
MSI (c) (44:F8) [08:29:56:471]: Package we're running from ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall Flags override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall VersionNT override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall ServicePackLevel override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: looking for appcompat database entry with ProductCode '{425063CE-9566-43B8-AC61-F8D182828634}'.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (44:F8) [08:29:56:486]: MSCOREE not loaded loading copy from system32
MSI (c) (44:F8) [08:29:56:502]: APPCOMPAT: looking for appcompat database entry with ProductCode '{425063CE-9566-43B8-AC61-F8D182828634}'.
MSI (c) (44:F8) [08:29:56:518]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (44:F8) [08:29:56:518]: Transforms are not secure.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Windows\TEMP\Sophos File Integrity Monitoring Install Log 20200106082956455.txt'.
MSI (c) (44:F8) [08:29:56:518]: No Command Line.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2A4B14BE-081A-4CDE-A2A1-A6397314C880}'.
MSI (c) (44:F8) [08:29:56:518]: Product Code passed to Engine.Initialize: '(none)'
MSI (c) (44:F8) [08:29:56:518]: Product Code from property table before transforms: '{425063CE-9566-43B8-AC61-F8D182828634}'
MSI (c) (44:F8) [08:29:56:518]: Product Code from property table after transforms: '{425063CE-9566-43B8-AC61-F8D182828634}'
MSI (c) (44:F8) [08:29:56:518]: Product not registered: beginning first-time install
MSI (c) (44:F8) [08:29:56:518]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (44:F8) [08:29:56:518]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (44:F8) [08:29:56:518]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (44:F8) [08:29:56:518]: Adding new sources is allowed.
MSI (c) (44:F8) [08:29:56:518]: Package name extracted from package path: 'SophosFIM.msi'
MSI (c) (44:F8) [08:29:56:518]: Package to be registered: 'SophosFIM.msi'
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: TRANSFORMS property is now:
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Favorites
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Documents
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Local
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Pictures
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Desktop
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (c) (44:F8) [08:29:56:518]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'server'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'SRM Steadfast'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi'.
MSI (c) (44:F8) [08:29:56:518]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (44:F8) [08:29:56:518]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (c) (44:F8) [08:29:56:518]: EEUI - Disabling MsiEmbeddedUI in quiet mode
=== Logging started: 06/01/2020 08:29:56 ===
MSI (c) (44:F8) [08:29:56:518]: Machine policy value 'DisableRollback' is 0
MSI (c) (44:F8) [08:29:56:518]: User policy value 'DisableRollback' is 0
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (c) (44:F8) [08:29:56:518]: Creating MSIHANDLE (10) of type 790537 for thread 8696
MSI (c) (44:F8) [08:29:56:518]: MsiOpenPackageEx is returning 0
MSI (c) (44:F8) [08:29:56:518]: Closing MSIHANDLE (10) of type 790537 for thread 8696
=== Verbose logging stopped: 06/01/2020 08:29:56 ===