This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV for Linux Outbound Ports Required

Hi,

I would like to check which are the ports that the sophos AV is using for the update.

Been receiving error message as such:

SSL error.

Failed to replicate from all update sources

I have already open port TCP 443 and 80 , 8192 - 8194

Thanks :)



This thread was automatically locked due to age.
Parents
  • For more information. This is the error logs

    2020-10-05 22:43:53,342 DEBUG savupdate.util.Logger: This system is SAV10 capable
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: No update caches configured
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: Updating using HTTPS
    2020-10-05 22:43:53,409 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTPS]
    2020-10-05 22:43:53,775 INFO savupdate.sdds.SddsUpdater: Trying alternative proxies
    2020-10-05 22:43:53,786 INFO savupdate.sdds.SddsUpdater: Trying HTTP instead
    2020-10-05 22:43:53,797 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTP]
    2020-10-05 22:43:53,845 INFO savupdate.sdds.SddsUpdater: Trying HTTP over alternative proxies
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: read_remote_metadata failed: result=4
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Out of sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Failed to authenticate
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E54187] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,858 ERROR savupdate.sdds.SDDSResult: Failed to download dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 ERROR savupdate.Updater: Error connecting to HTTPS source
    Traceback (most recent call last):
    File "Updater.py", line 179, in tryUpdate
    File "Updater.py", line 147, in update
    File "SddsUpdater.py", line 784, in update
    File "SddsUpdater.py", line 934, in __update
    File "SDDSResult.py", line 118, in throwOnError
    SDDSsslException: SDDSsslException for read_remote_metadata failed: SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: UPDATE_FAILURE_SSL_ERROR dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: ALL_UPDATE_SOURCES_FAILED
    2020-10-05 22:43:53,866 DEBUG savupdate.Updater: Successfully reported update to savd
    2020-10-06 04:43:52,602 DEBUG savupdate.util.Logger: Logging to /opt/sophos-av/log/savupdate-debug.log
    2020-10-06 04:43:53,270 DEBUG savupdate.Updater: Scheduled Update: Day=None, Time=None, supplementOnly=False

  • Hello Ng ZhiYun,

    this is indeed the Free version? Ports 8192-8194 are only required for the on-premise (SEC) managed install. As it tries to update over HTTPS I'd say this is the Intercept X (aka Central) version 10.

    How did you initially install? Has it worked and then suddenly stopped throwing these errors or did the updates fail from the beginning? I might be wrong but  it looks like  there's some gateway device (firewall) between this machine and Sophos that attempts SSL inspection.

    Christian 

  • Hello Ng ZhiYun,

    as said,, ports 8192-8194 are strictly for management and have nothing to do with updating.

    Taking a second ans closer look at the log - the SSL error is perhaps a red herring. The HTTPS connection fails because of the certificate error but it seems the HTTP connection succeeds but throws a Failed to authenticate error. This suggests a problem with the updating credentials not the ports opened..
    Might be worth checking whether updating again works if you allow all traffic.

    Christian 

  • Hi,

    Thanks for helping.

    Yup. I tried and tested allowing all traffic and it is able to update again with no error.

    I have also verify that the server is able to reach the internet with 200 response.

  • Hello Ng ZhiYun,

    hm, could you show the debug log (like the one above) from the successful update?

    Christian

  • Hi,

    Yup sure.

    This is the successful logs:

    2020-10-06 16:43:52,617 DEBUG savupdate.util.Logger: Logging to /opt/sophos-av/log/savupdate-debug.log
    2020-10-06 16:43:53,284 DEBUG savupdate.Updater: Scheduled Update: Day=None, Time=None, supplementOnly=False
    2020-10-06 16:43:53,285 WARNING savupdate.util.Logger: SDDS_UPDATE_SOURCE_IS SOPHOS
    2020-10-06 16:43:53,286 INFO savupdate.sdds.SddsUpdater: Setting default Sophos Aliases
    2020-10-06 16:43:53,294 DEBUG savupdate.util.Logger: This system is SAV10 capable
    2020-10-06 16:43:53,294 DEBUG savupdate.sdds.SddsUpdater: No update caches configured
    2020-10-06 16:43:53,294 DEBUG savupdate.sdds.SddsUpdater: Updating using HTTPS
    2020-10-06 16:43:53,318 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTPS]
    2020-10-06 16:43:53,744 DEBUG savupdate.util.Logger: Other Product line=D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (3, 79, 0, 137)
    2020-10-06 16:43:53,744 DEBUG savupdate.util.Logger: Other Product line=16847572-641A-4310-94FB-7530471C2A25 (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (3, 79, 0, 137)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Other Product line=1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 (we want 5CF594B0-9FED-4212-BA91-A4077CB1D1F3), version (9, 16, 2, 0, 41)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Our product line=5CF594B0-9FED-4212-BA91-A4077CB1D1F3, version (9, 16, 2, 3790, 219)
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Selecting package using recommended policy
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Following SddsConfigTagPolicy baseversion=9
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 4 products
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 1 products matching our uuid
    2020-10-06 16:43:53,745 DEBUG savupdate.util.Logger: Warehouse contains 1 products matching tag=RECOMMENDED
    2020-10-06 16:43:53,745 DEBUG savupdate.sdds.SddsUpdater: Only one product matching tag, so using version (9, 'RECOMMENDED', '822CDC34-081F-4D57-9106-D124C0DC2D46', '9')
    2020-10-06 16:43:53,746 DEBUG savupdate.util.Logger: SDDS synchronise products and supplements
    2020-10-06 16:43:55,925 DEBUG savupdate.util.Logger: SDDS synchronise result=0
    2020-10-06 16:43:56,071 DEBUG savupdate.util.Logger: SDDS distribute result=0
    2020-10-06 16:43:56,071 DEBUG savupdate.util.Logger: SDDS get_distribution_status=0
    2020-10-06 16:44:02,751 DEBUG savupdate.util.Logger: log_entry: [I40394] Successfully downloaded customer file
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I96736] Looking for package 5CF594B0-9FED-4212-BA91-A4077CB1D1F3 9.16.2.3790.219
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement VDL LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product 1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 9.16.2.0.41
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD 3.79.0.137
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I45378] Found included product 16847572-641A-4310-94FB-7530471C2A25 3.79.0.137
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE579 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement TBPS1.25 LATEST 1
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE580 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I49502] Found supplement IDE581 LATEST
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 5CF594B0-9FED-4212-BA91-A4077CB1D1F3 328
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product VDL 107
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 1CD8A803-6047-47BC-8CBE-2D4AEB37BEE2 90
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product D9BB257D-ADE6-47C9-B09E-1ACB33A88EDD 34
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product 16847572-641A-4310-94FB-7530471C2A25 27
    2020-10-06 16:44:02,752 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE579 154
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product TBPS1.25 68
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE580 52
    2020-10-06 16:44:02,753 DEBUG savupdate.util.Logger: log_entry: [I19463] Syncing product IDE581 1
    2020-10-06 16:44:02,755 DEBUG savupdate.util.Logger: UPDATING_FROM_VERSION 9.16.2 3.79.0 5.78
    2020-10-06 16:44:02,755 INFO savupdate.util.Logger: MSG_COMPOUNDSINK_VALIDATE_START /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:03,331 INFO savupdate.util.Logger: MSG_COMPOUNDSINK_VALIDATE_OK /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:03,331 INFO savupdate.util.Logger: RUNNING_INSTALLER /opt/sophos-av/update/cache/Primary
    2020-10-06 16:44:11,898 DEBUG savupdate.util.Logger: UPDATED_TO_VERSION 9.16.2 3.79.0 5.78
    2020-10-06 16:44:11,898 DEBUG savupdate.util.Logger: SUCCESSFULLY_UPDATED_FROM sdds:SOPHOS
    2020-10-06 16:44:11,916 DEBUG savupdate.Updater: Successfully reported update to savd

  • Also, this is a successful notification when completed

    Updating from versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Updating Sophos Anti-Virus....

    Updating SAVScan on-demand scanner

    Updating Virus Engine and Data

    Updating Manifest

    Update completed.

    Updated to versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Successfully updated Sophos Anti-Virus from sdds:SOPHOS

    This is the notification when there is error:

    SSL error.

    Failed to replicate from all update sources

  • Hello Ng ZhiYun,

    apparently the connection over HTTPS succeeds. There is no SSL error and it seems that "something"  interferes when you selectively open ports. Port 443 should be all that is needed. I don't think that AutoUpdate uses certificate pinning but if SSL inspection is done it must present a valid certificate. Can you access https://dci.sophosupd.com/update from the Linux machine with a browser when only port 443 is allowed?

    Christian

  • Hi

    Yup i am able to reach the URL when only 443 is allowed

    Result is as follows:


    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/update
    HTTP/1.1 302 Moved Temporarily
    Server: AkamaiGHost
    Content-Length: 0
    Location: dci.sophosupd.com/index.html
    Cache-Control: max-age=0
    Expires: Tue, 06 Oct 2020 17:14:00 GMT
    Date: Tue, 06 Oct 2020 17:14:00 GMT
    Connection: keep-alive
    Content-Type: application/octet-stream

    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/index.html
    HTTP/1.1 200 OK
    Content-Type: text/html
    ETag: "9b61e06bd51f47cbf0d46ee9a4560e39:1518434635.658743"
    Last-Modified: Mon, 12 Feb 2018 11:23:55 GMT
    Server: AkamaiNetStorage
    Expires: Tue, 06 Oct 2020 17:15:57 GMT
    Date: Tue, 06 Oct 2020 17:14:08 GMT
    Connection: keep-alive
    Cache-Control: s-maxage=109, max-age=109

  • Hello Ng ZhiYun,

    updating should work then unless curl is more liberal regarding SSL connections. If Sophos updating still fails you should check the certificate on the SSL connection.

    Christian

  • Hi

    Do you know how to check which and where is the cert that the sophos AV is using?

  • Also another thing that i notice is that.

    I am able to run the update manually but if scheduled it will have the error when only port 443 is enabled

Reply Children
  • Hello Hello Ng ZhiYun,,

    manual and scheduled updates should use the same mechanism, can't imagine that one constantly fails and the other succeeds. Wonder if there are significant differences in the log (other than success/failure).

    Furthermore, curl normally checks the certificate thus I wonder why it did not complain. Anyway, you can check whether different certificate chains are returned using openssl s_client -connect dci.sophosupd.com:443 -verify 5, enter an uppercase Q to close the connection.

    Christian

  • Hi,

    I manage to  find out which is the port that is causing the issue.

    Is port 8888 . I think this is the specific port that they use for SSL communication instead of the normal 443

  • Hello Hello Ng ZhiYun,

    never heard of this. I'll ask what he thinks of this.

    Christian

  • Nothing I can think of in SAVLinux would use port 8888. It's too low to be the client port number I think. 

    All of the SDDS update traffic goes on ports 443 and 80.

    The only thing I can imagine is some kind of port redirect going on, but I don't know of any software that actually does that.

  • Does all these sources do not use port 8888?

    Updating from versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Updating Sophos Anti-Virus....

    Updating SAVScan on-demand scanner

    Updating Virus Engine and Data

    Updating Manifest

    Update completed.

    Updated to versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Successfully updated Sophos Anti-Virus from sdds:SOPHOS

     

    I  monitored the traffic from the firewall and packets to destination port 8888 address 149.5.232.18

    Once i enable the traffic to port 8888.

    It resolves the SSL error

  • Port 8888 on 149.5.232.18 is an SSL connection. The certificate is Fortinet.

    fds1.fortinet.com

    A self-signed certificate chain - so probably some sort of non-web-browser connection.

    Search for 'fds1.fortinet.com 8888' on google does seem to suggest that they use that port.

    Are you running some kind of Fortinet tool?

  • Oh.

    Yup we have a fortinet firewall