The Sophos Agent service repeatedly fails to start either manually, as part of corrective action or as part of system start-up.
As a result the following symptoms may be observed:
- Event ID 67860 is logged by the 'Service Control Manager' in the System Event log with a message similar to:
The Sophos Agent service terminated unexpectedly. It has done this 26 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
- The endpoint shows as out-of-date in the console and is unresponsive to actions such as: scan now, comply with policy, update now, etc..
- If this issue occurs with the 'Sophos Agent' service on the management server, it can result in multiple computers showing as out of date as a result of the Sophos Update Manager status message not being processed .
Note: This issue does not affect the endpoint or server's ability to update and maintain protection; it affects the endpoint or server's ability to send and receive messages that are generated by the various endpoint components such as Sophos Anti-Virus, Sophos Update Manager, AutoUpdate, Patch Assessment etc.
First seen in
Sophos Anti-Virus for Windows 2000+
Failure of the Sophos Agent to start is typically caused by one of the Sophos Agent adapters or their corresponding policies to have become corrupt.
The adapters are how the various endpoint modules such as Sophos Anti-Virus, AutoUpdate, Patch Assessment etc, send and receive messages to and from the Message Router which in turn communicates back to the Sophos Enterprise Console server.
What To Do
The most likely cause is the corruption of the Sophos AutoUpdate agent adapter policy during shutdown of the computer. To resolve this issue do as follows:
- Upgrade to SAV 10.3.11 - This version has a fix which will enable the Sophos Agent service to start if it encounters a 0 byte file. As a result it will enable the client to re-fetch the updating policy to correct the locally cached policy file.
If you are unable to upgrade to this version, follow the steps below:
- Browse to the following location:
C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\ALC\
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\ALC\
- Check the file size of
- If this file is 0kb in size, delete the file.
- Start the "Sophos Agent" service, it should start without issue.
- A new SAUPolicy file should be generated within 30 seconds. This file is typically ~9kb in size.
If the Sophos Agent service still does not start, please contact Sophos Technical Support after performing the following steps, provide them with an explanation of your issue, and what you have attempted so far.
- Restart the system.
- Open the Registry Editor. See KBA 10388 for more information.
- Browse to the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent]
- Create a new DWORD value named 'LogLevel'.
- Change its value to 2.
- Install and start Process Monitor (please see KBA 119038 for instructions on generating a normal Process Monitor log).
- Attempt to start the 'Sophos Agent' service (make note of the time you attempted to start the service and if the results differ from the previous 1067 error).
- Stop Process Monitor.
- Save the Process Monitor log with all events and compress the .PML into a .zip.
- Gather a Sophos Diagnostic Utility (SDU) archive.
- Send the SDU and Process Monitor log archive to Sophos Technical Support.