Cloud Status - 'Some Sophos services not running' or 'missing'

Is this still a thing? We are now on 11.5.2 and seeing the exact same issues present in previous versions. This is the only thread / kb that I can find anywhere and support simply asks us to re-install the application.

Adam

Anytime I see it, its because of the event log group policy so I delete that folder in the registry.

Also seeing this in small numbers.

For example looking at a client now and there is no "Sophos Web Intelligence Service" service installed - simply suggesting uninstall/reinstall doesn't really fix the issue especially when it's damned near impossible to do a remote uninstall (does anyone know a way please?).

There are so many issues in this thread with multiple components.

With the missing Sophos Web Intelligence Service.  Do you have the SAV MSI log?  What I suspect might be happening is the missing service (swi_service) is removed during the update.  This is expected.  It should be put back later in the install.  However if another process has a handle open to the service, Windows will not remove it until restart or the handle is closed. Until this happens the service is marked for deletion.  When the installer tries to put it back it says the service is already present which it is - to some extent. The install will not fail for this.  It's only when you restart the computer the service is lost but the 'damage" was prior to the restart or when the handle to the service was freed after the installer completed.

I would suggest there is some third party software on the computer with a handle open to the swi_service causing the issue.  Do you have any software which enumerates services?  Some sort of auditing software?

I'd need to see a SAV MSI log to be sure this is roughly what is going on.  

Working out what process is calling openservice on swi_service is a little tricky.  One route would be to use API Monitor - http://www.rohitab.com/apimonitor.  You can filter this down to OpenService https://msdn.microsoft.com/en-us/library/windows/desktop/ms684330%28v=vs.85%29.aspx which is in the Advapi32.dll module.

Regards,

Jak

shouldn't have to remote uninstall, just disable tampering protection...

I saw this again on 20 of my pcs this morning. 

in cloud console - disable tampering

connect to the pc remotely through regedit to delete the eventlog key

go to services (connect to computer remotely) and start event log service (also stop windows defender if started)

put SophosInstall.exe on server share

copy the install script to the computer with problems to c:\temp

------------------------------------------

@echo off
SET MCS_ENDPOINT=Sophos\Management Communications System\Endpoint\McsClient.exe
IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
IF NOT EXIST "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
exit /b 0

:X86_PROG
IF NOT EXIST "%ProgramFiles%\%MCS_ENDPOINT%" GOTO INSTALL
exit /b 0

:INSTALL
pushd \\server\servershare
SophosInstall.exe -q
Popd

------------------------------

run script

Repeat if needed till issue resolved

Thanks, I shall try and get a diagnostic bundle next time I see this.

I really appreciate the detail in your reply, thank you for explaining it, but could you clarify if you're saying you'd expect it to sort itself out on a restart/reboot?

It would be great if Sophos went into this level of detail in their KB.

Thanks, I shall try and get a diagnostic bundle next time I see this.

I really appreciate the detail in your reply, thank you for explaining it, but could you clarify if you're saying you'd expect it to sort itself out on a restart/reboot?

It would be great if Sophos went into this level of detail in their KB.

I expect the high alert to go away and all the Sophos services are running without having to reboot.

We see same issues in our company. 22 unprotected computers of approx 900.

A cloud solution like Sophos, should be self healing and not require any admin interaction. We are spending more resources now than with an on premise solution.

Jannik