Application Resilience policies for Sophos Endpoint Protection

You can activate an Application Resilience policy for Sophos Endpoint Protection to collect information about the functional status of the Sophos Endpoint Protection products installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Application Resilience policies for Sophos Endpoint Protection always include the Core Agent. Intercept X, Device Encryption, and Endpoint Protection can also be included in an Application Resilience policy if they are selected in the policy configuration.

Application Resilience policies for Sophos Endpoint Protection are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

  • one of the following versions of Sophos Endpoint Protection:

    • 2022.1.x or higher

      Significant software changes in higher versions may cause health checks to become invalid.

    • 2.20.10.x to 2.20.13.x
    • 2.0.x to 2.20.6.x

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3
 P P

One of the signers entered in the policy configuration

By default, Signers contains "Sophos Limited" and "Sophos Ltd".
Application name

The application uses the following name:

  • Sophos Endpoint Agent

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3
 P P

Sophos Ltd
Application name

The application uses the following name:

  • Sophos Endpoint Agent

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1
  • Sophos Clean (SophosCleanM.exe or SophosCleanM64.exe)1
  • Sophos Safestore (SophosSafestore.exe or SophosSafestore64.exe)1

Endpoint Protection

  • Sophos Web Control Service (swc_service.exe)2
  • Sophos Anti-Virus (SavService.exe)2
  • Sophos Anti-Virus status reporter (SAVAdminService.exe)2
  • Sophos Web Intelligence Service (swi_service.exe)2
  • Sophos Web Filter (swi_filter.exe)2
  • Sophos Device Control Service (sdcservice.exe)2
  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3
 P P

Sophos Ltd
Application name

The application uses the following name:

  • Sophos Endpoint Agent

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

You can configure an Application Resilience policy for Sophos Endpoint Protection to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Sophos Endpoint Protection if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Repair

One or more of the following services aren't running:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component restarts each stopped service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.

One or more of the following services aren't installed and the service's executable can be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component reinstalls each missing service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application.

A device restart is required after the application is uninstalled. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart and the configured version of the application is downloaded and installed. You can review the report's Status details to determine if a restart is required.

If Sophos Endpoint Protection is installed on the device, the RAR component checks the device's registry keys to make sure Tamper Protection is disabled on the device and that the device doesn't require a restart. If both these conditions aren't met, the RAR component doesn't attempt to reinstall Sophos Endpoint Protection.
Sophos Endpoint Protection failed to be repaired, or the expected version isn't installed

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

Issue Resolution
Repair

One or more of the following services aren't running:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component restarts each stopped service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.

One or more of the following services aren't installed and the service's executable can be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component reinstalls each missing service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1

Endpoint Protection

  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application.

A device restart is required after the application is uninstalled. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart and the configured version of the application is downloaded and installed. You can review the report's Status details to determine if a restart is required.

If Sophos Endpoint Protection is installed on the device, the RAR component checks the device's registry keys to make sure Tamper Protection is disabled on the device and that the device doesn't require a restart. If both these conditions aren't met, the RAR component doesn't attempt to reinstall Sophos Endpoint Protection.
Sophos Endpoint Protection failed to be repaired, or the expected version isn't installed

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

Issue Resolution
Repair

One or more of the following services aren't running:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1
  • Sophos Clean (SophosCleanM.exe or SophosCleanM64.exe)1
  • Sophos Safestore (SophosSafestore.exe or SophosSafestore64.exe)1

Endpoint Protection

  • Sophos Web Control Service (swc_service.exe)2
  • Sophos Anti-Virus (SavService.exe)2
  • Sophos Anti-Virus status reporter (SAVAdminService.exe)2
  • Sophos Web Intelligence Service (swi_service.exe)2
  • Sophos Web Filter (swi_filter.exe)2
  • Sophos Device Control Service (sdcservice.exe)2
  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component restarts each stopped service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.

One or more of the following services aren't installed and the service's executable can be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1
  • Sophos Clean (SophosCleanM.exe or SophosCleanM64.exe)1
  • Sophos Safestore (SophosSafestore.exe or SophosSafestore64.exe)1

Endpoint Protection

  • Sophos Web Control Service (swc_service.exe)2
  • Sophos Anti-Virus (SavService.exe)2
  • Sophos Anti-Virus status reporter (SAVAdminService.exe)2
  • Sophos Web Intelligence Service (swi_service.exe)2
  • Sophos Web Filter (swi_filter.exe)2
  • Sophos Device Control Service (sdcservice.exe)2
  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component reinstalls each missing service.

Tamper Protection must be disabled in your Sophos Endpoint Protection configuration for the RAR component to successfully repair Sophos Endpoint Protection.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

Core agent

  • Sophos Endpoint Defense Service (SEDService.exe)
  • Sophos System Protection Service (SSPService.exe)
  • Sophos MCS Agent (McsAgent.exe)
  • Sophos MCS Client (McsClient.exe)
  • Sophos Health Service (SophosHealth.exe)
  • Sophos AutoUpdate Service (ALsvc.exe)

Intercept X

  • Sophos File Scanner Service (SophosFS.exe)1
  • Sophos Clean (SophosCleanM.exe or SophosCleanM64.exe)1
  • Sophos Safestore (SophosSafestore.exe or SophosSafestore64.exe)1

Endpoint Protection

  • Sophos Web Control Service (swc_service.exe)2
  • Sophos Anti-Virus (SavService.exe)2
  • Sophos Anti-Virus status reporter (SAVAdminService.exe)2
  • Sophos Web Intelligence Service (swi_service.exe)2
  • Sophos Web Filter (swi_filter.exe)2
  • Sophos Device Control Service (sdcservice.exe)2
  • Sophos Network Threat Protection (SophosNtpService.exe)2
  • HitmanPro.Alert service (hmpalert.exe)2

Device Encryption

  • Sophos Device Encryption Service (Sophos.Encryption.BitLockerService.exe)3

The RAR component downloads and installs the configured version of the application.

If Sophos Endpoint Protection is installed on the device, the RAR component checks the device's registry keys to make sure Tamper Protection is disabled on the device and that the device doesn't require a restart. If both these conditions aren't met, the RAR component doesn't attempt to reinstall Sophos Endpoint Protection.
Sophos Endpoint Protection failed to be repaired, or the expected version isn't installed

1 Only checked if Intercept X is selected in the policy configuration

2 Only checked if Endpoint Protection is selected in the policy configuration

3 Only checked if Device Encryption is selected in the policy configuration

The installer:

  • must be an EXE file
  • can have any file name

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installers SophosESC.exe

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate if the additional products are required for your configuration in addition to the settings in Configuring Application Resilience policies.

To configure the application version and additional products:

  1. Under Application version, select 2022.1.* or higher from the drop-down.

  2. Under Sophos Endpoint Protection version, enter the version of Sophos Endpoint Protection that you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version, for example, 2022.*, 2022.1.* or 2022.1.1.*.

    Make sure the version you are entering is consistent with either version 2022.1.x or higher.

  3. Under Additional products that need to be checked, select the additional products that are used in your Sophos Endpoint Protection configuration:

    • Intercept X
    • Endpoint Protection
    • Device Encryption

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Sophos Endpoint Protection additional settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  2. [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration. For more information on available parameters, see the Sophos Endpoint Protection documentation.

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate if the additional products are required for your configuration in addition to the settings in Configuring Application Resilience policies.

To configure the application version and additional products:

  1. Under Application version, select 2.20.10.* - 2.20.13.* from the drop-down.

  2. Under Sophos Endpoint Protection version, enter the version of Sophos Endpoint Protection that you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version, for example, 2.* or 2.20.* or 2.20.10.*.

    Make sure the version you are entering is consistent with either version 2.20.10.x to 2.20.13.x.

  3. Under Additional products that need to be checked, select the additional products that are used in your Sophos Endpoint Protection configuration:

    • Intercept X
    • Endpoint Protection
    • Device Encryption

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Sophos Endpoint Protection additional settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  2. [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration. For more information on available parameters, see the Sophos Endpoint Protection documentation.

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate if the additional products are required for your configuration in addition to the settings in Configuring Application Resilience policies.

To configure the application version and additional products:

  1. Under Application version, select 2.0.* - 2.20.6.* from the drop-down.

  2. Under Sophos Endpoint Protection version, enter the version of Sophos Endpoint Protection that you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version, for example, 2.* or 2.19.* or 2.19.8.*.

    Make sure the version you are entering is consistent with version 2.0.x to 2.20.6.x.

  3. Under Additional products that need to be checked, select the additional products that are used in your Sophos Endpoint Protection configuration:

    • Intercept X
    • Endpoint Protection
    • Device Encryption

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Sophos Endpoint Protection additional settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  2. [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration. For more information on available parameters, see the Sophos Endpoint Protection documentation.