Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 8 subscribers
  • Views 25075 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to update. Please check your internet connection

och_nee

Hi,

we try to scan a system with the "Virus Removal Tool" Version 2.5.4.

The installation worked wel, but after that the tool reported about a connection issue, and that there's no possibiility to update the detection engine and the data... so far so good...

First we took a look to our http proxy and understand that the tool is not able to use a proxy connection, so we search a way to configure that....but there is no way!

Next we took a look in the associate config.xml, there is only one possible entry:  

cloud4 enabled="yes" url="https://4.sophosxl.net/lookup"

We opened that target on the UTM, but i still not working.

So we took a closer look, and find out, that the tool try to reach some (2-3) other endpoints of a CDN via http!

We opened just one of these endponts (cdn-87-248-217-254.frf.llnw.net) and the tool took an update...via http!

-the tool is not able to use a proxy connection
-the update worked unencrypted via http
-the update target isn't dokumented anywhere
-the update target isn't a fixded target in the Sophos domain space, it is a variable endpoint in a CDN

Question: is that what sophos called  "Using cutting edge technology found in our enterprise-grade software, this powerful tool detects all types of malicious software on your computer (Dieses leistungsstarke Tool basiert auf modernsten Technologien, die auch in unseren IT-Security-Produkten für Unternehmenskunden zum Einsatz kommen)"?

Poor enterprise customers -  you have our compassion!

Greetings

:56816


This thread was automatically locked due to age.
Parents
  • 0

    Hello och_nee,

    the latest version, but it's not working

    hm, I don't need SVRT but I've checked today - from the Update progress: proxy server line in the log it seems to tell WinHTTP to use the IE settings but then I don't see a connection attempt at all. I wanted to return a 407 to see what it does (but I assume it won't prompt for credentials) but didn't get that far. Guess I'll have to test on another machine to be sure.

    CDN, CNAMEs

    I can't quite follow you - d1.sophosupd.com is one of the update locations, this is a CNAME and resolve to a name on the CDN and one or more addresses there. The reverse lookup of the CDN address doesn't necessarily return something telling though (except in your case that the server on the CDN is probably located in Frankfurt).

    trustable

    Ok, you feel better with an SSL handshake. But then, it's SVRT which does the handshake so you have to trust the application, right? SVRT does verify the update location and contents with an equivalent mechanism - neither can you make it download from some arbitrary (rogue) source nor intercept the connection and feed it compromised data, it won't accept it.

    Christian

    :56838
Reply
  • 0

    Hello och_nee,

    the latest version, but it's not working

    hm, I don't need SVRT but I've checked today - from the Update progress: proxy server line in the log it seems to tell WinHTTP to use the IE settings but then I don't see a connection attempt at all. I wanted to return a 407 to see what it does (but I assume it won't prompt for credentials) but didn't get that far. Guess I'll have to test on another machine to be sure.

    CDN, CNAMEs

    I can't quite follow you - d1.sophosupd.com is one of the update locations, this is a CNAME and resolve to a name on the CDN and one or more addresses there. The reverse lookup of the CDN address doesn't necessarily return something telling though (except in your case that the server on the CDN is probably located in Frankfurt).

    trustable

    Ok, you feel better with an SSL handshake. But then, it's SVRT which does the handshake so you have to trust the application, right? SVRT does verify the update location and contents with an equivalent mechanism - neither can you make it download from some arbitrary (rogue) source nor intercept the connection and feed it compromised data, it won't accept it.

    Christian

    :56838
Children
  • 0 in reply to QC

    I have to agree to a certain extent with the OP that there is room for improvement in the documentation/UX for the free scan tool.  Especially when they mention about enterprise wonder marketing hype non-sense. 

    I found it less than transparently documented about how it works with proxies and likely issues with user authenticated proxies which are still very common in the education sector.  

    A helpful little FAQ that was easy to find on getting the update tool to work behind proxies which require user auth would be nice, and maybe a little button on the GUI saying click here to option log files location would do it for me. 

    When you are up against it, which is normally when you are reaching for these tools your cool has long since left and you're not often operating at peak skill level ; ) Anything to make you remember to do the proper things is helpful.  I wasted a good hour trying to figure out why the free tool would not pickup the internet updates.  Unhelpful error messages about checking my internet just make me cross. 

    However once I found the URL it was failing due to user auth issues on our proxy I was quickly able to create exceptions and get it working.  

    Thanks to both of you for this thread as it helped me get back on track with sorting out the update annoyance.  

    Cheers

Unfiltered HTML