This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint not updating & services not running

Hi Sophos

I have a laptop that I was going to encrypt using Sophos Central, but noticed that in Sophos Central that it was reporting several errors with services not running.

Checking the services on the device showed that Device Control Service and Sophos Anti-Virus was not running.

Did a quick google and saw from Sophos EHS KB Article was to disable the Sophos Autoupdate service then rename the cache files then delete the .xml file from the autoupdate folder.

I then started the service again then went to update the Sophos endpoint. But the endpoint now does not update, it says update failed.

 

Tried changing the proxy in internet settings to see if it would come back up but left it several minutes and no changes.

I have logs have the errors if needs be.

I hope you can help, because as the client that uses this machine will be needing the laptop by next week wednesday to work from home. 



This thread was automatically locked due to age.
  • Hi Samuel,

    Can you please check on Sophos central dashboard for this computer, under STATUS tab please check which services are failing.

    Also, see the AVREMOVE.TXT file from C:\Windows\Temp or %temp% folder to see if any third party application is blocking the installer.

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi there thank you for your response.

    I have gone to the status under the device.

    Please see attached snippet from the Sophos Central.

    I have looked to see if i can see the test file under Windows\Temp on C drive. Enabled show hidden files but I cannot see this file you describe AVREMOVE.TXT

  • Hi Samuel,

    Please check for avremove.txt under \users\appdata\local\temp folder as well.

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi there I have checked under the users directory \users\appdata\local\temp. Searched under my username and the end users profile for the avremove.txt file nothing there tried searching too. I do have error logs from the troubleshooter from within the Sophos Endpoint client if that helps?

  • Sure, Please see the error logs and copy and paste here.

    Also you can try the below steps,

     · Disable tamper protection on the endpoint
    · Sophos central- endpoint protection- computer- tamper protection- show password- copy
    · Go to the endpoint- put admin password - settings -check override policy- turn off tamper protection
    · Stop auto-update service
    · Rename decoded folder C:\ProgramData\Sophos\AutoUpdate\Cache\decoded
    · Rename warehouse folder C:\ProgramData\Sophos\AutoUpdate\data
    · Rename SophosUpdateStatus.xml C:\ProgramData\Sophos\AutoUpdate\data\status
    · Start auto-update service
      Push Update again from Sophos GUI
    · Reboot the computer and wait for the update to complete.

     

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi 

    I have ran this three times still does not update. Just says in Sophos endpoint that the update has failed.

    This is before I rebooted then I tried updating after reboot same result.

  • Hi Samuel,

    Please find the  SophosUpdate.log and cloud install log to see if you can find any errors. You can search with keywords "failed" and  "Error"

     

    Location: Sophos Autoupdate: C:\ProgramData\Sophos\AutoUpdate\Logs, 

    C:\ProgramData\Sophos\CloudInstaller\Logs

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Here are the other files from the autoupdate folder, i was only able to upload the txt files any other format would not work. I did try archiving them but it would keep coming up with a error 6443.susvc.log3362.SophosUpdate.log4617.alc.log

  • Hi Samuel,

     

    Here is the error, please check your Firewall the Sophos Domains are whitelisted from the Firewall and allowed via proxy if you are using a Proxy server. 

     

    2019-11-27T11:09:34.8668259Z INFO : Opening connection to dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
    2019-11-27T11:09:34.8678213Z INFO : Sending request for connection confirmation through potential proxy
    2019-11-27T11:09:34.8678213Z INFO : Request content size: 0
    2019-11-27T11:09:35.0014633Z INFO : ValidateFileCertificateCheck: Validate certificate against file on WINHTTP_CALLBACK_STATUS_SENDING_REQUEST
    2019-11-27T11:09:35.0323796Z INFO : Subject certificate failed validation against root CA: SophosCA1
    2019-11-27T11:09:35.0333789Z INFO : Subject certificate failed validation against root CA: SophosCA2
    2019-11-27T11:09:35.0353990Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA3
    2019-11-27T11:09:35.0363694Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA4
    2019-11-27T11:09:35.0374079Z ERROR : Failed to validate server cert; terminating HTTP connection.
    2019-11-27T11:09:35.0383652Z ERROR : WinHttpSendRequest failed with certificate check failure and error 12017
    2019-11-27T11:09:35.0394040Z INFO : Failed to connect using proxy '192.168.172.204:8080' with error: WinHttpSendRequest failed: certificate check failure

     

    If that is not the case then please find the Sophos certificate using the Knowledge base article here and see if that is valid and up to date.

    Make sure Windows updates on the device are up to date.

     

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.