Sophos System Protection Service

Disabling the "Data Loss Prevention" policy from Sophos Central on affected devices followed by a reboot fixed it for me. The service is now running.

Hi Craig,

Could you please explain the way you proceed to disable DLP policy?

I tried to create a  new DLP policy for my servers getting the issue and then bypassed it. However the base policy is also applied by default.

I'm not able to delete the DLP base policy.

Many thanks in advance for your help,

Best regards,

Jérôme.

I suggest toggling the slider "Use rules for data transfers". 

Hi Kushal Lakhan,

Thanks for your reply.

I’m going to check this slider thing tomorrow at work.

I also noticed that only (but all) Windows 2012R2 servers are impacted by this issue.

Sophos System Protection Service remains on a starting status for all of them.

Do you think Sophos will provide any patch or is there any Windows KB (even an old one) to avoid or correct this problem? 
I hope toggling the slider will solve the issue but maybe this also could come from a Windows KB (applied or missing).

We already control firewall permissions for Sophos flows, no connection reset occurs so i’m at my wits end.

Many thanks again for your support,

Best regards,

Jérôme.

Thanks for following up.

There are a few reasons this could occur. If the SXL Lookup URLs are not reachable, you'll need to ensure your white list contains all of the entries Sophos requires. There were some changes to this following the architecture changes to Sophos' Endpoint and Server products.
- Domains and ports to allow

If the 1920 error is returned, the following KBA advises further, though this doesn't appear to be what's happening in most cases mentioned here.
- Error 1920 Sophos System Protection service failed to start

If any recent updates have occurred to the system, a restart may also be necessary. 

I'm eager to find out if the issue remains, though other users who reported similar issues haven’t reached out on this thread indicating as such.

Thanks for following up.

There are a few reasons this could occur. If the SXL Lookup URLs are not reachable, you'll need to ensure your white list contains all of the entries Sophos requires. There were some changes to this following the architecture changes to Sophos' Endpoint and Server products.
- Domains and ports to allow

If the 1920 error is returned, the following KBA advises further, though this doesn't appear to be what's happening in most cases mentioned here.
- Error 1920 Sophos System Protection service failed to start

If any recent updates have occurred to the system, a restart may also be necessary. 

I'm eager to find out if the issue remains, though other users who reported similar issues haven’t reached out on this thread indicating as such.

Hi Qoosh, 

I haven't experienced this issue on any of my servers (Touch Wood).
However, it does appear that the disabling DLP fix is working only challenge is that it has to be actioned on each individual machine which is very time-consuming.

I shall update I as we go along.  

Hi Ndangi,

Could you please explain how you individualy dosable DLP. I triés the slider thing explained by Qoosh, but it was already off for me.

Many thanks,

Best Regards,

Jerome.

Ndangi Nashiku, Jérôme VIAL

A KBA has been published related to this issue, I suggest trying the steps outlined in the article linked below. 
- Advisory: Sophos System Protection Service may hang in a 'Starting' state after the system was rebooted

Hi Jerome, 

The fix in our environment is as follows: 

1- Obtain the Admin Sign-in from Sophos Central for the Endpoint with the issue. 
2- Open Sophos Endpoint agent on the machine with the issue. Sign in as Admin
3- Enable the override Sophos Central Policy for up to 4 hours.
4- Toggle off Tamper Protection and Data Loss Prevention.
5- Reboot the machine and update the Sophos Endpoint Agent.

Hi Qoosh, 

Does this mean that events are no longer monitored?
Additionally, after implementing the fix suggested in the KB, Sophos File Scanner Service stopped. 

Hi Ndangi,

Thanks for your answer. The workaround suggested by Qoosh works fine for my Windows 2012R2.

I still got an issue with a Windows 10 computer which was auto-isolated previously (before the workaround was provided). Sophos detect all services running fine but PC is still auto-isolated... even if i reomve then install Sophos again.

So i'm going to try the way you proceed.

Many thanks,

Best regards,

Jérôme.

can you check if you have an updated behave.dec under 
C:\ProgramData\Sophos\Endpoint Defense\Data\DecisionRulesV2\[version]\
If so, with DLP re-enabled, does the SSPService now start OK?

Hi Qoosh,

The KBA must be considered as a workaround.

Is it still necessary to desactivate DLP for W2012 R2 servers?

Many thanks in advance,

Best regards,

Jérôme

You will not need to disable DLP any longer no.