This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to update. Please check your internet connection

Hi,

we try to scan a system with the "Virus Removal Tool" Version 2.5.4.

The installation worked wel, but after that the tool reported about a connection issue, and that there's no possibiility to update the detection engine and the data... so far so good...

First we took a look to our http proxy and understand that the tool is not able to use a proxy connection, so we search a way to configure that....but there is no way!

Next we took a look in the associate config.xml, there is only one possible entry:  

cloud4 enabled="yes" url="https://4.sophosxl.net/lookup"

We opened that target on the UTM, but i still not working.

So we took a closer look, and find out, that the tool try to reach some (2-3) other endpoints of a CDN via http!

We opened just one of these endponts (cdn-87-248-217-254.frf.llnw.net) and the tool took an update...via http!

-the tool is not able to use a proxy connection
-the update worked unencrypted via http
-the update target isn't dokumented anywhere
-the update target isn't a fixded target in the Sophos domain space, it is a variable endpoint in a CDN

Question: is that what sophos called  "Using cutting edge technology found in our enterprise-grade software, this powerful tool detects all types of malicious software on your computer (Dieses leistungsstarke Tool basiert auf modernsten Technologien, die auch in unseren IT-Security-Produkten für Unternehmenskunden zum Einsatz kommen)"?

Poor enterprise customers -  you have our compassion!

Greetings

:56816


This thread was automatically locked due to age.
  • Hello och_nee,

    the tool is not able to use a proxy connection

    unless this has changed with the latest versions it uses the system (WinHTTP) proxy.

    the update target (BTW: source is arguably the better term) isn't dokumented anywhere

    as long as it works (and this is apparently in most cases) it's not necessary; do you know the update sources (or where they are documented) for all your software?

    the update target [...] is a variable endpoint in a CDN

    and this is uncommon? Come on!

    the update worked unencrypted via http

    and the problem with this is?

    Thanks anyway for your commiseration :smileyhappy: - question is, do you need assistance?

    Christian

    :56817
  • hi Christian,

    the tool is not able to use a proxy connection

    unless this has changed with the latest versions it uses the system (WinHTTP) proxy.

    we use the latest version, but it's not working...possible it's not working with user auth?

    the update target (BTW: source is arguably the better term) isn't dokumented anywhere

    as long as it works (and this is apparently in most cases) it's not necessary; do you know the update sources (or where they are documented) for all your software?

    on a system with restricted access - yes of course!  

    And SOPHOS is a security company, and i expect transparent and well documented processes from a security company - even if a tool is for free!

    the update target [...] is a variable endpoint in a CDN

    and this is uncommon? Come on!

    Yes it's common for startups and - sadly - for some big players!   

    In my point of view this is crap! some people do this without the knnowledge of the background need to do their  job.

    If you need an CDN...why not CNAMES be used here in this case?

    the update worked unencrypted via http

    and the problem with this is?

    is that serious? the problem is, that the target,endpoint or in your words the "source" is more trustable!
    How can i know who or what is behind a IP adress? How can io thust this without handshake with a valid signed certifiact!?  

    Thanks anyway for your commiseration :smileyhappy: - question is, do you need assistance?

    i don't need assistance, as you can read...i helped myself.

    :56823
  • Hello och_nee,

    the latest version, but it's not working

    hm, I don't need SVRT but I've checked today - from the Update progress: proxy server line in the log it seems to tell WinHTTP to use the IE settings but then I don't see a connection attempt at all. I wanted to return a 407 to see what it does (but I assume it won't prompt for credentials) but didn't get that far. Guess I'll have to test on another machine to be sure.

    CDN, CNAMEs

    I can't quite follow you - d1.sophosupd.com is one of the update locations, this is a CNAME and resolve to a name on the CDN and one or more addresses there. The reverse lookup of the CDN address doesn't necessarily return something telling though (except in your case that the server on the CDN is probably located in Frankfurt).

    trustable

    Ok, you feel better with an SSL handshake. But then, it's SVRT which does the handshake so you have to trust the application, right? SVRT does verify the update location and contents with an equivalent mechanism - neither can you make it download from some arbitrary (rogue) source nor intercept the connection and feed it compromised data, it won't accept it.

    Christian

    :56838
  • I have to agree to a certain extent with the OP that there is room for improvement in the documentation/UX for the free scan tool.  Especially when they mention about enterprise wonder marketing hype non-sense. 

    I found it less than transparently documented about how it works with proxies and likely issues with user authenticated proxies which are still very common in the education sector.  

    A helpful little FAQ that was easy to find on getting the update tool to work behind proxies which require user auth would be nice, and maybe a little button on the GUI saying click here to option log files location would do it for me. 

    When you are up against it, which is normally when you are reaching for these tools your cool has long since left and you're not often operating at peak skill level ; ) Anything to make you remember to do the proper things is helpful.  I wasted a good hour trying to figure out why the free tool would not pickup the internet updates.  Unhelpful error messages about checking my internet just make me cross. 

    However once I found the URL it was failing due to user auth issues on our proxy I was quickly able to create exceptions and get it working.  

    Thanks to both of you for this thread as it helped me get back on track with sorting out the update annoyance.  

    Cheers

  • I can confirm that the tool CAN use a http/https proxy, when the proxy is set in Internet Explorer Settings.

    However the tool is unable to interpret a proxy pac file.

    You have to set the proxy to IP Address and Port in IE and then it works.

    So, still room for improvement.