Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 9 subscribers
  • Views 1848 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central sends out messages that Real Time protection is disable sometimes on some computers

BeEf

Hello,

in some cases I see messages like:

Sophos Central Event Details for XXXX

What happened: Real-time protection has been disabled on a computer.

Where it happened: NY-Computername

User associated with device: RIEDEL-WU\login

How severe it is: High

What Sophos has done so far: We have tried to enforce the Sophos Central policy and enable real-time protection.

What you need to do: Go to the computer to check that it is turned on and has an internet connection. Look in the logs on the computer for messages about "on-access scanning".

 

Most times there is no issue with somebody disabling the real time protection (asked some users). It looks like that this messages arises during normal operation. Maybe some kind of timing issue that occurs when putting the computer in

mode.

Are there any known issues? Ist there a solution for this?

Thanks
Bernd



This thread was automatically locked due to age.
Parents
  • 0

    Are you able to reproduce it on any given computer? For example, if you restart it a number of times?

    If so, I would suggest enabling message trails:#https://community.sophos.com/kb/en-us/119608

    It would then be possible to correlate the sent messages (C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail\) with the MCS client and MCS agent logs (C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\) to know when the message is being sent relative to start-up/shutdown for example.

    It might be worth getting Process Monitor from boot trace with a filter with path contains:

    C:\ProgramData\Sophos\Management Communications System\Endpoint

    Maybe the problem is on shutdown a status message is created under: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\ where the state is disabled and the MCS client service starts early at start-up and manages to send it before the next "real" status is sent (MCS agent service is started, loads the adapter of SAV and asks for a status) and then the true status is sent and the toggle is observed.

    I think a timeline of a events needs to be created.  If it can be re-created, what happens if the MCS Client service is changed to delayed start for example?

    Hope it helps.

    Regards,

    Jak

Reply
  • 0

    Are you able to reproduce it on any given computer? For example, if you restart it a number of times?

    If so, I would suggest enabling message trails:#https://community.sophos.com/kb/en-us/119608

    It would then be possible to correlate the sent messages (C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail\) with the MCS client and MCS agent logs (C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\) to know when the message is being sent relative to start-up/shutdown for example.

    It might be worth getting Process Monitor from boot trace with a filter with path contains:

    C:\ProgramData\Sophos\Management Communications System\Endpoint

    Maybe the problem is on shutdown a status message is created under: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\ where the state is disabled and the MCS client service starts early at start-up and manages to send it before the next "real" status is sent (MCS agent service is started, loads the adapter of SAV and asks for a status) and then the true status is sent and the toggle is observed.

    I think a timeline of a events needs to be created.  If it can be re-created, what happens if the MCS Client service is changed to delayed start for example?

    Hope it helps.

    Regards,

    Jak

Children
No Data
Unfiltered HTML