This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV for Linux Outbound Ports Required

Hi,

I would like to check which are the ports that the sophos AV is using for the update.

Been receiving error message as such:

SSL error.

Failed to replicate from all update sources

I have already open port TCP 443 and 80 , 8192 - 8194

Thanks :)



This thread was automatically locked due to age.
  • For more information. This is the error logs

    2020-10-05 22:43:53,342 DEBUG savupdate.util.Logger: This system is SAV10 capable
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: No update caches configured
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: Updating using HTTPS
    2020-10-05 22:43:53,409 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTPS]
    2020-10-05 22:43:53,775 INFO savupdate.sdds.SddsUpdater: Trying alternative proxies
    2020-10-05 22:43:53,786 INFO savupdate.sdds.SddsUpdater: Trying HTTP instead
    2020-10-05 22:43:53,797 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTP]
    2020-10-05 22:43:53,845 INFO savupdate.sdds.SddsUpdater: Trying HTTP over alternative proxies
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: read_remote_metadata failed: result=4
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Out of sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Failed to authenticate
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E54187] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,858 ERROR savupdate.sdds.SDDSResult: Failed to download dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 ERROR savupdate.Updater: Error connecting to HTTPS source
    Traceback (most recent call last):
    File "Updater.py", line 179, in tryUpdate
    File "Updater.py", line 147, in update
    File "SddsUpdater.py", line 784, in update
    File "SddsUpdater.py", line 934, in __update
    File "SDDSResult.py", line 118, in throwOnError
    SDDSsslException: SDDSsslException for read_remote_metadata failed: SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: UPDATE_FAILURE_SSL_ERROR dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: ALL_UPDATE_SOURCES_FAILED
    2020-10-05 22:43:53,866 DEBUG savupdate.Updater: Successfully reported update to savd
    2020-10-06 04:43:52,602 DEBUG savupdate.util.Logger: Logging to /opt/sophos-av/log/savupdate-debug.log
    2020-10-06 04:43:53,270 DEBUG savupdate.Updater: Scheduled Update: Day=None, Time=None, supplementOnly=False

  • Hello Ng ZhiYun,

    this is indeed the Free version? Ports 8192-8194 are only required for the on-premise (SEC) managed install. As it tries to update over HTTPS I'd say this is the Intercept X (aka Central) version 10.

    How did you initially install? Has it worked and then suddenly stopped throwing these errors or did the updates fail from the beginning? I might be wrong but  it looks like  there's some gateway device (firewall) between this machine and Sophos that attempts SSL inspection.

    Christian 

  • Yes this is the free version that we install on a linux VM.

    I tried opening the TCP ports for 8192-8194 too but is still receiving the same error.

    Yup it is working previously when i allow all outbound traffic however i would like to restrict the traffic and only allow specific ports if able.

    The traffic is control using a security list as the VM is hosted on cloud

  • Hello Ng ZhiYun,

    as said,, ports 8192-8194 are strictly for management and have nothing to do with updating.

    Taking a second ans closer look at the log - the SSL error is perhaps a red herring. The HTTPS connection fails because of the certificate error but it seems the HTTP connection succeeds but throws a Failed to authenticate error. This suggests a problem with the updating credentials not the ports opened..
    Might be worth checking whether updating again works if you allow all traffic.

    Christian 

  • Hi,

    Thanks for helping.

    Yup. I tried and tested allowing all traffic and it is able to update again with no error.

    I have also verify that the server is able to reach the internet with 200 response.

  • Hello Ng ZhiYun,

    hm, could you show the debug log (like the one above) from the successful update?

    Christian

  • Hi,

    Yup sure.

    This is the successful logs:

    2020-10-06 16:43:52,617 DEBUG savupdate.util.Logger: Logging to /opt/sophos-av/log/savupdate-debug.log
    2020-10-06 16:43:53,284 DEBUG savupdate.Updater: Scheduled Update: Day=None, Time=None, supplementOnly=False
    2020-10-06 16:43:53,285 WARNING savupdate.util.Logger: SDDS_UPDATE_SOURCE_IS SOPHOS
    2020-10-06 16:43:53,286 INFO savupdate.sdds.SddsUpdater: Setting default Sophos Aliases
    2020-10-06 16:43:53,294 DEBUG savupdate.util.Logger: This system is SAV10 capable
    2020-10-06 16:43:53,294 DEBUG savupdate.sdds.SddsUpdater: No update caches configured
    2020-10-06 16:43:53,294 DEBUG savupdate.sdds.SddsUpdater: Updating using HTTPS
    2020-10-06 16:43:53,318 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTPS]
    2020-10-06 16:43:53,744 DEBUG savupdate.util.Logger: Other Product line=D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (3, 79, 0, 137)
    2020-10-06 16:43:53,744 DEBUG savupdate.util.Logger: Other Product line=16847572-641A-4310-94FB-7530471C2A25 (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (3, 79, 0, 137)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Other Product line=1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (9, 16, 2, 0, 41)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Our product line=5CF594B0-9FED-4212-BA91-A4077CB1D1F3, version (9, 16, 2, 3790, 219)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Selecting package using recommended policy
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Following SddsConfigTagPolicy baseversion=9
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 4 products
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 1 products matching our uuid
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 1 products matching tag=RECOMMENDED
    2020-10-06 16:43:53,745 DEBUG savupdate.sdds.SddsUpdater: Only one product matching tag, so using version (9, 'RECOMMENDED', '822CDC34-081F-4D57-9106-D124C0DC2D46', '9')
    2020-10-06 16:43:53,746 DEBUG savupdate.util.Logger: SDDS synchronise products and supplements
    2020-10-06 16:43:55,925 DEBUG savupdate.util.Logger: SDDS synchronise result=0
    2020-10-06 16:43:56,071 DEBUG savupdate.util.Logger: SDDS distribute result=0
    2020-10-06 16:43:56,071 DEBUG savupdate.util.Logger: SDDS get_distribution_status=0
    2020-10-06 16:44:02,751 DEBUG savupdate.util.Logger: log_entry: [I40394] Successfully downloaded customer file
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I96736] Looking for package 5CF594B0-9FED-4212-BA91-A4077CB1D1F3 9.16.2.3790.219
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement VDL LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product 1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 9.16.2.0.41
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD 3.79.0.137
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product 16847572-641A-4310-94FB-7530471C2A25 3.79.0.137
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE579 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement TBPS1.25 LATEST 1
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE580 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE581 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 5CF594B0-9FED-4212-BA91-A4077CB1D1F3 328
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product VDL 107
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 90
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD 34
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 16847572-641A-4310-94FB-7530471C2A25 27
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE579 154
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product TBPS1.25 68
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE580 52
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE581 1
    2020-10-06 16:44:02,755 DEBUG savupdate.util.Logger: UPDATING_FROM_VERSION 9.16.2 3.79.0 5.78
    2020-10-06 16:44:02,755 INFO savupdate.util.Logger: MSG_COMPOUNDSINK_VALIDATE_START /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:03,331 INFO savupdate.util.Logger: MSG_COMPOUNDSINK_VALIDATE_OK /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:03,331 INFO savupdate.util.Logger: RUNNING_INSTALLER /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:11,898 DEBUG savupdate.util.Logger: UPDATED_TO_VERSION 9.16.2 3.79.0 5.78
    2020-10-06 16:44:11,898 DEBUG savupdate.util.Logger: SUCCESSFULLY_UPDATED_FROM sdds:SOPHOS
    2020-10-06 16:44:11,916 DEBUG savupdate.Updater: Successfully reported update to savd

  • Also, this is a successful notification when completed

    Updating from versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Updating Sophos Anti-Virus....

    Updating SAVScan on-demand scanner

    Updating Virus Engine and Data

    Updating Manifest

    Update completed.

    Updated to versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Successfully updated Sophos Anti-Virus from sdds:SOPHOS

    This is the notification when there is error:

    SSL error.

    Failed to replicate from all update sources

  • Hello Ng ZhiYun,

    apparently the connection over HTTPS succeeds. There is no SSL error and it seems that "something"  interferes when you selectively open ports. Port 443 should be all that is needed. I don't think that AutoUpdate uses certificate pinning but if SSL inspection is done it must present a valid certificate. Can you access https://dci.sophosupd.com/update from the Linux machine with a browser when only port 443 is allowed?

    Christian

  • Hi

    Yup i am able to reach the URL when only 443 is allowed

    Result is as follows:


    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/update
    HTTP/1.1 302 Moved Temporarily
    Server: AkamaiGHost
    Content-Length: 0
    Location: dci.sophosupd.com/index.html
    Cache-Control: max-age=0
    Expires: Tue, 06 Oct 2020 17:14:00 GMT
    Date: Tue, 06 Oct 2020 17:14:00 GMT
    Connection: keep-alive
    Content-Type: application/octet-stream

    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/index.html
    HTTP/1.1 200 OK
    Content-Type: text/html
    ETag: "9b61e06bd51f47cbf0d46ee9a4560e39:1518434635.658743"
    Last-Modified: Mon, 12 Feb 2018 11:23:55 GMT
    Server: AkamaiNetStorage
    Expires: Tue, 06 Oct 2020 17:15:57 GMT
    Date: Tue, 06 Oct 2020 17:14:08 GMT
    Connection: keep-alive
    Cache-Control: s-maxage=109, max-age=109