Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +8 person also asked this people also asked this
  • Locked Locked
  • Replies 66 replies
  • Answers 6 answers
  • Subscribers 31 subscribers
  • Views 173423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Encryption Service randomly not starting/stopping on multiple endpoints since last week's outages?

Erich Weihrauch

Hello all.

Since last week's outage debacle, I've seen multiple random endpoints suddenly report that the device encryption service is not starting.

There seems to be no rhyme or reason to the timing (not when starting up, after restart, etc.).  Seems possibly related to policy push issues.

Sophos support asked me to remove policies from affected devices, remove endpoints, reinstall endpoints, reapply policies. I have not opted to do this as it is not a viable solution and really wouldn't not solve underlying issues with the central cloud services not pushing out policies in the first place.

Generally I've used PSEXEC to remotely start the service and the affected clients don't seem to be popping back up again after that, but still it's getting annoying.

Have any of you encountered this as of late? Any particular data points/extrapolation you've found (patterns like time of day, etc.)?

Lastly, is this all going to be a continuing issue with Sophos. I am in charge of maintaining Sophos on multiple endpoints, and trying to deploy policies, reinstall Cloud Web Gateway...I thought this product was designed to assist with reducing management loads for endpoints, not increase them?



This thread was automatically locked due to age.
  • 0 in reply to James Aggrey

    One thing I'm starting to notice now is that I'll get an email alert saying "One or more Sophos services are missing or stopped", but by the time I check the machine, all services are running.  I'm guessing the fix means the services will start a bit later now, but the process that triggers the email alerts isn't taking this into account yet??

  • 0 in reply to RBGE

    I feel like I've had that issue for a while, going back to "this device has suspended encryption" or whatever the error message was.  By the time I went to the machine it was fine.

  • 0 in reply to RBGE

    I know some of the components have recovery such that if a service is missing, on the next update it will be re-added.

    Do you know which services were reported as missing?

    There is a trail here:
    C:\ProgramData\Sophos\Health\Event Store\Trail\ 

    The following PowerShell might help make sense of it:

    $strLoc = $env:ProgramData + "\Sophos\Health\Event Store\trail\"
    $strFileName = "*.json"
    $OutData = @()

    Get-ChildItem -Path $strLoc -File -Filter $strFileName | Foreach-Object {
    $j = [System.IO.File]::ReadLines($_.FullName) | ConvertFrom-Json
    $Arr = New-Object PSObject
    $Arr | Add-Member -Name "file" -MemberType NoteProperty -Value $_.Name
    $Arr | Add-Member -Name "id" -MemberType NoteProperty -Value $j.id
    $Arr | Add-Member -Name "familyId" -MemberType NoteProperty -Value $j.familyId
    $Arr | Add-Member -Name "timeStamp" -MemberType NoteProperty -Value $j.timeStamp
    $Arr | Add-Member -Name "app" -MemberType NoteProperty -Value $j.app
    $Arr | Add-Member -Name "sequence" -MemberType NoteProperty -Value $j.sequence
    $Arr | Add-Member -Name "severity" -MemberType NoteProperty -Value $j.severity
    $Arr | Add-Member -Name "resourceId" -MemberType NoteProperty -Value $j.resourceId
    $Arr | Add-Member -Name "componentName" -MemberType NoteProperty -Value $j.componentName
    $Arr | Add-Member -Name "showNotification" -MemberType NoteProperty -Value $j.showNotification
    $Arr | Add-Member -Name "updateSummary" -MemberType NoteProperty -Value $j.updateSummary
    $Arr | Add-Member -Name "serviceName" -MemberType NoteProperty -Value $j.serviceName
    $Arr | Add-Member -Name "counterName" -MemberType NoteProperty -Value $j.counterName
    $Arr | Add-Member -Name "userName" -MemberType NoteProperty -Value $j.userName
    $Arr | Add-Member -Name "userSid" -MemberType NoteProperty -Value $j.userSid
    $Arr | Add-Member -Name "path" -MemberType NoteProperty -Value $j.path
    $Arr | Add-Member -Name "reboot" -MemberType NoteProperty -Value $j.reboot
    $OutData += $Arr
    }
    #may not need all of these. Comment out one you don't need.
    $a = $OutData | Out-Gridview -Title "Health Event Store"
    $a = $OutData | ConvertTo-Html | Out-File -FilePath Report.html
    $a = $OutData | ConvertTo-CSV -NoTypeInformation | Out-File -FilePath Report.csv

    You could change the path to the directory to be a remote location, i.e. through a C$ share I suppose.

    The Sophos UI event list may also reveal what's being going on.

    Regards,

    Jak

  • 0 in reply to jak

    Has anyone opened a ticket on this issue?   I have patently been waiting for a fix but I am ready to open a case on it. 

  • 0 in reply to Kyle Dooley

    I have an open ticket.  The update did not fix my problem.  After the update, support gather more info and decided it was a corrupted file (log4net.dll) in my cases.  I had about 35 of them out of 400 systems.  Replacing this file with the original from the Sophos Autoupdate cache fixed the issue and allowed me to start the service.  Still waiting to see if it sticks or not.  I am now down to fewer than 5 devices with this issue after running in the 40s for months.

  • 0

    This Problem caused most of the windows 7 users endpoints.So i think I found the solution.For windows 7 operating systems need to upgrade with service pack 1 and need to install dotnet framework 4.7.1 and restart the pc problem will fix.It would fix for me. 

Unfiltered HTML