Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 296271 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC v5.0.0.8 and Sophos Web Intelligence Update Service

toddh

Hey,

I had to do a reboot on our Sophos server over the weekend. Upon coming back up the system was complaining that there was a service that had failed to start. The service was the Sophos Web Intelligence Update Service.

Currently the "Startup Type" is set to "Automatic"

If I attempt to start the service manually, it starts and stops immediately and I get the Windows message stating this.

I am assuming that since the "Startup Type" is "Automatic" that this service should be in the "running" state.

I have checked the Windows Event Viewer and there is nothing logged there about the service.

I have also gone through the logs for Sophos and I haven't been able to find anything that might explain

why this service isn't starting.

Is there anything I can do to try and troubleshoot what the issue is? Or are there logs that perhaps I am missing that might reveal the issue?

Thank you

:21957


This thread was automatically locked due to age.
  • 0

    The serivce is meant to start and stop, it doesn't run.  I'm suprised Windows threw a startup message because it failed.  Are you sure no other service failed during that startup?

    Regards,

    Jak

    :21963
  • 0

    I had a feeling it was doing what it was supposed to be doing but I wanted to be sure.

    As far as I could tell it was this this service. But I must confess that I did not check the Event Viewer thoroughly!

    As long as this service is behaving as it should, I will investigate further and see if I can reproduce the error.

    Sorry for the dumb question :(

    But thank you for the help!

    Cheers

    :21965
  • 0

    I think this performs the same tasks as swi_config.exe used to do based on the switches.  If you run:

    "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" /help  

    (64-bit machine) it shows you what the tool is capable of.  Looking at the service registration details under:

    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swi_update_64 "

    I see the "Group " is "Event Log " which makes it start very early on in start-up,  I guess this is why it is a service, to guarantee it runs early enough to do the neccessary unloading and loading of the LSP.  The Windows Internals books have a good section on startup and shutdown.  http://technet.microsoft.com/en-us/sysinternals/bb897416 also confirms how early it starts in relation to other services.

    Jak

    :21967
  • 0

    "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" /help   - This command yielded some interesting results.

    LSP = Layered Service Provider ?

    If so, I am assuming it is required to start so early because if the Web Intelligence portion of the software does have an update it would need to be updated before the swi service itself is started. Otherwise updates would not take effect until next reboot or the service is restarted?

    I was wondering what the purpose of the options "/enableLsp", "/disableLsp", and "forceDisableLsp"?

    In what instance would you want to use these options. 

    For the option "disableLsp" would this prevent the ability to SWI to be able to monitor the traffic coming through the web browser into the PC? This would effectively disable SWI without shutting off the service? But since this is for the update exe.. Are these options required depending upon whether or not the service decides it needs to update?

    Perhaps it disables LSP long enough for SWI to update, and then it is re-enabled?

    :21969
  • 0

    I am getting a similar notification running SEC 5.0.0.8 on SBS2003. In the daily server performance report email Sophos Web Intelligence Update is listed as an 'Auto-started Service Not Running' which flags as an error. I understand that although set to auto, this service only runs when needed so this is not a true error, just wondering if there is a way to suppress this notification with a view to tidying the logs

    :22577
  • 0

    I have the same issue on an SBS2003 server. Has anyone come up with away of suppressing this warning in the daily log yet?

    :34881
  • 0

    I am still getting this message daily. It is clearly not an issue but would be good to get rid of it and clean the logs up

    :34887
  • 0

    If the service is meant to start up and then stop when it isn't being used, then it should be set to Manual, not Automatic. Is it a problem to set it to Manual? Our SCOM server is alerting on it since it expects, RIGHTFULLY, that a service set to Automatic is expected to be running at all times.

    :45239
  • 0

    Hello MikeFinney,

    it expects, RIGHTFULLY, that a service set to Automatic is expected to be running at all times

    who says so? Admittedly there aren't many services showing this behaviour but  Microsoft .NET Framework NGEN ... is one of them.

    Christian

    :45253