Skip to content
For help with the Sophos Protection for Linux agent on your devices, see Sophos Protection for Linux help.

Sophos Protection for Linux troubleshooting

This page details how to troubleshoot common errors in Sophos Protection for Linux (SPL).

Note

You can use the Sophos Diagnostic Utility (SDU) to gain additional insight into events when troubleshooting. When you run it, the SDU collects all SPL logs, system information, and system logs. For the SDU to be able to collect the system logs, we recommend you configure your Linux devices to preserve them after a restart. Some platforms have this configured by default.

Installation troubleshooting

Tip

If you need more insight into an error, turn debug logging on and run the installer again. See Debug thin installer.

./SophosSetup.sh: Permission denied

You must add the execute permission to SophosSetup.sh. Run the following command:

chmod +x SophosSetup.sh

Please run this installer as root

You must run SophosSetup.sh with root privileges. Use the sudo command or switch to the root user.

Found an existing installation of SAV in /opt/sophos-av/. This product cannot be run alongside Sophos Anti-Virus

You must remove Sophos Anti-Virus for Linux before you install SPL.

SPL installation will fail, can not install to '<path>'.

The installation will fail if you reference a symlink. You must re-run the installer with the --install-dir command and use the path to the directory where the symlink points.

Cannot connect to Sophos Central - please check your network connections

Your Linux machine must be able to connect to the internet and traffic to all Sophos Central domains must be allowed before you can install SPL. See Domains and ports to allow.

SPL installation will fail as a connection to Sophos Central could not be established

Sophos pre-installation checks will fail if curl isn't installed on the Linux device. Install curl and try again. You may also see the following messages:

  • SPL installation will fail as a connection to the SUS server could not be established
  • SPL installation will fail as a connection to a CDN server could not be established

Failed to connect to repository: error:

Your Linux devices are assigned to a software package that's been retired. Change your Update Management policy and assign your Linux devices to a current software package. See Server Update Management Policy.

Failed to install as setcap is not installed

When the libcap package is missing on the Linux server, the Sophos Protection for Linux Anti-Virus plugin fails to install and continues to retry the installation every hour. The installation log shows the following errors:

497 [2021-08-31T10:51:09.950] INFO [2080044800] suldownloaderdata <> Installing product: ServerProtectionLinux-Plugin-AV version: 1.0.2.93
736 [2021-08-31T10:51:10.189] INFO [2080044800] suldownloaderdata <> which: no setcap in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
Failed to install as setcap is not installed, please see https://support.sophos.com/support/s/article/KBA-000007609

736 [2021-08-31T10:51:10.189] ERROR [2080044800] suldownloaderdata <> Installation failed
736 [2021-08-31T10:51:10.189] INFO [2080044800] suldownloaderdata <> Downloaded Product line: 'ServerProtectionLinux-Plugin-EDR' is up to date.
740 [2021-08-31T10:51:10.193] WARN [2080044800] suldownloaderdata <> Update failed, with code: 103
740 [2021-08-31T10:51:10.193] INFO [2080044800] suldownloaderdata <> Generating the report file in: /opt/sophos-spl/base/update/var/updatescheduler

Run one of the following commands based on your Linux distribution:

  • Debian-based Linux: apt install libcap2-bin
  • RHEL, CentOS, Amazon Linux: yum install libcap
  • SLES: zypper install libcap-progs

Components not running or failing to install.

If a product is missing, make sure you have the correct license for the missing product.

If the product is installed but not running, check the logs for the relevant components. To do this, do as follows:

  • Check the log for the affected component at /opt/sophos-spl/plugins/<plugin name>/log.
  • Check the installation log for the relevant component at /opt/sophos-spl/logs/installation/<component>_install.log.
  • Check the watchdog log to see whether a component failed to start at /opt/sophos-spl/logs/base/watchdog.log.

High CPU usage after installing SPL

Check if you have fapolicyd on your Linux device. Running fapolicyd and SPL together is supported, but it's known to cause high CPU and other issues if not configured correctly. Do as follows to add a rule to fapolicyd to allow it to work together with SPL:

  1. Stop the SPL agent.
  2. Create a new file at /etc/fapolicyd/rules.d/ named 22-sophos.rules.

    The file name is very important as it must follow the naming convention for rules to work around fapolicyd for system critical activity. See Configuring the File Access Policy Daemon.

  3. Add the following content to the file:

    allow dir=/opt/sophos-spl/ all : ftype=application/x-sharedlib
    allow dir=/opt/sophos-spl/ all : ftype=application/x-executable
    allow dir=/opt/sophos-spl/ all : ftype=text/x-python
    allow perm=execute dir=/opt/sophos-spl/ : all
    
  4. Restart fapolicyd.

  5. Start the SPL agent.

Installation to a custom directory fails.

The SPL installation fails when you use --install-dir to change the installation directory if the /sophos-spl directory already exists in that location or SPL is installed in another location on the Linux device. To resolve this, delete the /sophos-spl directory or uninstall SPL and try again.

If you're running SELinux in enforcement mode and install SPL to a custom directory other than /opt, you may see the following error when trying to install SPL to a custom directory:

sophos-spl.service: Failed to execute command: Permission denied

You need to perform the following steps to add a record of the new directory to the SELinux policy that includes the same rules that exist for /opt:

  1. Create the installation directory you want to use.
  2. Run the following command replacing <path_to_new_directory> with the path to your new installation directory.
semanage fcontext -a -e /opt <path_to_new_directory>

Sophos Central troubleshooting

Not started: Sophos Linux Runtime Detections

You may see this error message with a red health status on your Linux devices due to one of the following scenarios:

  • The Runtime Detections (RTD) plugin isn't running. This can happen for many reasons, such as when it's installed on a server running an older or unsupported kernel.
  • The RTD plugin encountered an issue with a rule or set of rules. In this case, the RTD plugin is still running, and all other rules are active, but Sophos Central shows a red health status to alert you to the issue so you can investigate.

Not started: Update Scheduler

When the SPL agent starts, the update scheduler tries to download the policy from Sophos Central. If the SPL agent can't contact Sophos Central or the policy download fails, you'll see this error message with red health status in Sophos Central.

Live Discover endpoint queries only return data for a short time

By default, the size of the event journals on your devices allows them to store about 90 days of activity. If Live Discover endpoint queries return less data than that, you may need to increase the size of the event journals on your devices. See Event Journals.

More resources