Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 9 subscribers
  • Views 11072 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Storage Replicas and Sophos Cloud Central- known issues?

Support Redinet

Hi There,


We've got a customer with a number of servers in AWS.

There are 2 servers of which are  using Microsoft Storage replicas.


The agent was installed in the usual fashion, but both servers are reporting issues in the client.

I've tried removing to reinstall the client, but to no avail , as tamper protection keeps being reenabled.


I will probably have to follow the guidance here https://community.sophos.com/kb/en-us/127602  to resolve it

But before I do so I wanted to know if there are any known issues with Storage Replicas and Sophos Cloud?

 

I've googled , but not found anything to suggest there are known issues.

 

Kind Regards,

James.



This thread was automatically locked due to age.
Parents
  • +1

    No quite sure what the actual error is you're getting but one thing that you may want to check if it's based on storage..

    If you look under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Paths

    Then SystemDrive will have a path such as: \Device\HarddiskVolume3.

    Is this path correct for the C drive?  If you run:

    fltmc volumes | find "C:"

    This will list the current volume path for the C drive.  Do they match?

    Regards,

    Jak

Reply
  • +1

    No quite sure what the actual error is you're getting but one thing that you may want to check if it's based on storage..

    If you look under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Paths

    Then SystemDrive will have a path such as: \Device\HarddiskVolume3.

    Is this path correct for the C drive?  If you run:

    fltmc volumes | find "C:"

    This will list the current volume path for the C drive.  Do they match?

    Regards,

    Jak

Children
  • 0 in reply to jak

    Hi Jak,

    Thanks for coming back to me.

    They are indeed wrong. I can't change the registry keys in question - probably due to the Sophos client. I'll follow the Sophos guide for recovery by attaching to a machine with another O/S and let  you know.

     

    These are the symptoms which prompted me to look at reinstalling:

     

     

    And as you can see, the volumes don't match the registry keys you mentioned.

     

    Kind Regards,

    James.

     

  • 0 in reply to Support Redinet

    A quick way to fix it up would be:

    fltmc unload "Sophos endpoint defense"

    rename the paths registry key, then run:

    fltmc load "Sophos endpoint defense"

    At startup the driver seems to re-create the keys correctly.

    That said: In order to modify the key and unload the driver tamper protection would have to be disabled. 

    I can imagine the scenario where if it's on and therefore neither of the above are possible, you would have to boot into safemode, rename sophosed.sys (\windows\system32\drivers\) to sophosed.sys.rename, then reboot back into Windows.  As the driver is then not loaded you should be able to rename the paths key, rename the driver file back to sophosed.sys and then run the command "fltmc load "Sophos endpoint defense" to start the driver again.

    I hope it helps.

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak,

     

    Thanks for your help on this, the client is now working on both machines.

    I think the volumes must have changed after the AV client was installed.

    Unfortunately you can't change the registry keys you mentioned live. (probably due to tamper protection or something)

    What I had to do was shutdown the machine down, detach the voume, build a 2012 R2 server (the guest is 2016). Attach the disk, load the system hive, change the keys in your first post . Unload it it. 

    Then reattach to the original machine.

    After I rebooted, the Client worked correctly.

     

    Kind Regards,

    James.

Unfiltered HTML