Sophos System Protection Service not started

Is there anything in the event log to suggest it timed out starting?

Did it crash and fail to restart?

Regards,
Jak

this is from windows event log.

The Sophos System Protection Service service terminated unexpectedly. It has done this 4 time(s).

this is from windows event log.

The Sophos System Protection Service service terminated unexpectedly. It has done this 4 time(s).

Ahh, that's interesting and at least the cause of why it's stopped.

In that case I would probably try and obtain a dump of the crash and submit it to Support.

E.g  

1. Create dir C:\dumps\

2. Download procdump to this same directory.  https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 

3. In an admin prompt run:
procdump -ma -i C:\dumps

Next time it crashes you should have dumps under C:\dumps\

Note: You can run "procdump -u" to "uninstall/unregister" procdump.

SSP does a few things.  One thing it does is collect data for RCAs. This can be toggled in the threat protection policy.

It might be worth disabling RCA for a test computer this is happening on and see if disabling that helps.  

It would be worth getting the dumps first though but maybe you can prevent it crashing with a config change which would also be useful information.

Regards,
Jak

SSP dont crashed if i disable RCA.

it happens that the few machines with this symptoms uses the same set of software.

OK, good to know.  I think other than getting a couple of dumps to Sophos and the logs, there isn't much more you can do at this point but at least you can keep the service running by disabling the feature in the short term.

RCA is really an elaborate reporting mechanism, so at least your not removing a detection mechanism.

Reards,
Jak