This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV for Linux Outbound Ports Required

Hi,

I would like to check which are the ports that the sophos AV is using for the update.

Been receiving error message as such:

SSL error.

Failed to replicate from all update sources

I have already open port TCP 443 and 80 , 8192 - 8194

Thanks :)



This thread was automatically locked due to age.
Parents
  • For more information. This is the error logs

    2020-10-05 22:43:53,342 DEBUG savupdate.util.Logger: This system is SAV10 capable
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: No update caches configured
    2020-10-05 22:43:53,342 DEBUG savupdate.sdds.SddsUpdater: Updating using HTTPS
    2020-10-05 22:43:53,409 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTPS]
    2020-10-05 22:43:53,775 INFO savupdate.sdds.SddsUpdater: Trying alternative proxies
    2020-10-05 22:43:53,786 INFO savupdate.sdds.SddsUpdater: Trying HTTP instead
    2020-10-05 22:43:53,797 DEBUG savupdate.sdds.SddsUpdater: Adding update source: direct [HTTP]
    2020-10-05 22:43:53,845 INFO savupdate.sdds.SddsUpdater: Trying HTTP over alternative proxies
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: read_remote_metadata failed: result=4
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Out of sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E26245] SSL connection errors for dci.sophosupd.net/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [I20317] No proxy was used.
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: log_entry: [E35369] Out of update sources
    2020-10-05 22:43:53,856 DEBUG savupdate.util.Logger: error_details: Failed to authenticate
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.com/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E19127] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [I31036] No proxy was used.
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E75373] Ran out of sophos aliases for this update source
    2020-10-05 22:43:53,857 DEBUG savupdate.util.Logger: log_entry: [E54187] Couldn't find DCI for user. URL was: dci.sophosupd.net/.../
    2020-10-05 22:43:53,858 ERROR savupdate.sdds.SDDSResult: Failed to download dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 ERROR savupdate.Updater: Error connecting to HTTPS source
    Traceback (most recent call last):
    File "Updater.py", line 179, in tryUpdate
    File "Updater.py", line 147, in update
    File "SddsUpdater.py", line 784, in update
    File "SddsUpdater.py", line 934, in __update
    File "SDDSResult.py", line 118, in throwOnError
    SDDSsslException: SDDSsslException for read_remote_metadata failed: SSL connection errors for dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat: SSL certificate problem: self signed certificate in certificate chain (60) verifyResult=19
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: UPDATE_FAILURE_SSL_ERROR dci.sophosupd.com/.../774de35825b1fcf0a9c28adf75a24333.dat
    2020-10-05 22:43:53,858 DEBUG savupdate.util.Logger: ALL_UPDATE_SOURCES_FAILED
    2020-10-05 22:43:53,866 DEBUG savupdate.Updater: Successfully reported update to savd
    2020-10-06 04:43:52,602 DEBUG savupdate.util.Logger: Logging to /opt/sophos-av/log/savupdate-debug.log
    2020-10-06 04:43:53,270 DEBUG savupdate.Updater: Scheduled Update: Day=None, Time=None, supplementOnly=False

  • Hello Ng ZhiYun,

    this is indeed the Free version? Ports 8192-8194 are only required for the on-premise (SEC) managed install. As it tries to update over HTTPS I'd say this is the Intercept X (aka Central) version 10.

    How did you initially install? Has it worked and then suddenly stopped throwing these errors or did the updates fail from the beginning? I might be wrong but  it looks like  there's some gateway device (firewall) between this machine and Sophos that attempts SSL inspection.

    Christian 

  • Hi

    Yup i am able to reach the URL when only 443 is allowed

    Result is as follows:


    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/update
    HTTP/1.1 302 Moved Temporarily
    Server: AkamaiGHost
    Content-Length: 0
    Location: dci.sophosupd.com/index.html
    Cache-Control: max-age=0
    Expires: Tue, 06 Oct 2020 17:14:00 GMT
    Date: Tue, 06 Oct 2020 17:14:00 GMT
    Connection: keep-alive
    Content-Type: application/octet-stream

    root@test:/opt/sophos-av/log# curl -Is dci.sophosupd.com/index.html
    HTTP/1.1 200 OK
    Content-Type: text/html
    ETag: "9b61e06bd51f47cbf0d46ee9a4560e39:1518434635.658743"
    Last-Modified: Mon, 12 Feb 2018 11:23:55 GMT
    Server: AkamaiNetStorage
    Expires: Tue, 06 Oct 2020 17:15:57 GMT
    Date: Tue, 06 Oct 2020 17:14:08 GMT
    Connection: keep-alive
    Cache-Control: s-maxage=109, max-age=109

  • Hello Ng ZhiYun,

    updating should work then unless curl is more liberal regarding SSL connections. If Sophos updating still fails you should check the certificate on the SSL connection.

    Christian

  • Hi

    Do you know how to check which and where is the cert that the sophos AV is using?

  • Also another thing that i notice is that.

    I am able to run the update manually but if scheduled it will have the error when only port 443 is enabled

  • Hello Hello Ng ZhiYun,,

    manual and scheduled updates should use the same mechanism, can't imagine that one constantly fails and the other succeeds. Wonder if there are significant differences in the log (other than success/failure).

    Furthermore, curl normally checks the certificate thus I wonder why it did not complain. Anyway, you can check whether different certificate chains are returned using openssl s_client -connect dci.sophosupd.com:443 -verify 5, enter an uppercase Q to close the connection.

    Christian

  • Hi,

    I manage to  find out which is the port that is causing the issue.

    Is port 8888 . I think this is the specific port that they use for SSL communication instead of the normal 443

  • Hello Hello Ng ZhiYun,

    never heard of this. I'll ask what he thinks of this.

    Christian

  • Nothing I can think of in SAVLinux would use port 8888. It's too low to be the client port number I think. 

    All of the SDDS update traffic goes on ports 443 and 80.

    The only thing I can imagine is some kind of port redirect going on, but I don't know of any software that actually does that.

  • Does all these sources do not use port 8888?

    Updating from versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Updating Sophos Anti-Virus....

    Updating SAVScan on-demand scanner

    Updating Virus Engine and Data

    Updating Manifest

    Update completed.

    Updated to versions - SAV: 9.16.2, Engine: 3.79.0, Data: 5.78 Successfully updated Sophos Anti-Virus from sdds:SOPHOS

     

    I  monitored the traffic from the firewall and packets to destination port 8888 address 149.5.232.18

    Once i enable the traffic to port 8888.

    It resolves the SSL error

  • Port 8888 on 149.5.232.18 is an SSL connection. The certificate is Fortinet.

    fds1.fortinet.com

    A self-signed certificate chain - so probably some sort of non-web-browser connection.

    Search for 'fds1.fortinet.com 8888' on google does seem to suggest that they use that port.

    Are you running some kind of Fortinet tool?

Reply
  • Port 8888 on 149.5.232.18 is an SSL connection. The certificate is Fortinet.

    fds1.fortinet.com

    A self-signed certificate chain - so probably some sort of non-web-browser connection.

    Search for 'fds1.fortinet.com 8888' on google does seem to suggest that they use that port.

    Are you running some kind of Fortinet tool?

Children