I have a laptop that I was going to encrypt using Sophos Central, but noticed that in Sophos Central that it was reporting several errors with services not running.
Checking the services on the device showed that Device Control Service and Sophos Anti-Virus was not running.
Did a quick google and saw from Sophos EHS KB Article was to disable the Sophos Autoupdate service then rename the cache files then delete the .xml file from the autoupdate folder.
I then started the service again then went to update the Sophos endpoint. But the endpoint now does not update, it says update failed.
Tried changing the proxy in internet settings to see if it would come back up but left it several minutes and no changes.
I have logs have the errors if needs be.
I hope you can help, because as the client that uses this machine will be needing the laptop by next week wednesday to work from home.
Can you please check on Sophos central dashboard for this computer, under STATUS tab please check which services are failing.
Also, see the AVREMOVE.TXT file from C:\Windows\Temp or %temp% folder to see if any third party application is blocking the installer.
Hi there thank you for your response.
I have gone to the status under the device.
Please see attached snippet from the Sophos Central.
I have looked to see if i can see the test file under Windows\Temp on C drive. Enabled show hidden files but I cannot see this file you describe AVREMOVE.TXT
Please check for avremove.txt under \users\appdata\local\temp folder as well.
Hi there I have checked under the users directory \users\appdata\local\temp. Searched under my username and the end users profile for the avremove.txt file nothing there tried searching too. I do have error logs from the troubleshooter from within the Sophos Endpoint client if that helps?
Sure, Please see the error logs and copy and paste here.
Also you can try the below steps,
· Disable tamper protection on the endpoint· Sophos central- endpoint protection- computer- tamper protection- show password- copy· Go to the endpoint- put admin password - settings -check override policy- turn off tamper protection· Stop auto-update service· Rename decoded folder C:\ProgramData\Sophos\AutoUpdate\Cache\decoded· Rename warehouse folder C:\ProgramData\Sophos\AutoUpdate\data· Rename SophosUpdateStatus.xml C:\ProgramData\Sophos\AutoUpdate\data\status· Start auto-update service Push Update again from Sophos GUI· Reboot the computer and wait for the update to complete.
I have ran this three times still does not update. Just says in Sophos endpoint that the update has failed.
This is before I rebooted then I tried updating after reboot same result.
Please find the SophosUpdate.log and cloud install log to see if you can find any errors. You can search with keywords "failed" and "Error"
Location: Sophos Autoupdate: C:\ProgramData\Sophos\AutoUpdate\Logs,
here is the cloudinstaller logs8737.SophosCloudInstaller_20191127_105933.log
Here are the other files from the autoupdate folder, i was only able to upload the txt files any other format would not work. I did try archiving them but it would keep coming up with a error 6443.susvc.log3362.SophosUpdate.log4617.alc.log
Here is the error, please check your Firewall the Sophos Domains are whitelisted from the Firewall and allowed via proxy if you are using a Proxy server.
2019-11-27T11:09:34.8668259Z INFO : Opening connection to dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com2019-11-27T11:09:34.8678213Z INFO : Sending request for connection confirmation through potential proxy2019-11-27T11:09:34.8678213Z INFO : Request content size: 02019-11-27T11:09:35.0014633Z INFO : ValidateFileCertificateCheck: Validate certificate against file on WINHTTP_CALLBACK_STATUS_SENDING_REQUEST2019-11-27T11:09:35.0323796Z INFO : Subject certificate failed validation against root CA: SophosCA12019-11-27T11:09:35.0333789Z INFO : Subject certificate failed validation against root CA: SophosCA22019-11-27T11:09:35.0353990Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA32019-11-27T11:09:35.0363694Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA42019-11-27T11:09:35.0374079Z ERROR : Failed to validate server cert; terminating HTTP connection.2019-11-27T11:09:35.0383652Z ERROR : WinHttpSendRequest failed with certificate check failure and error 120172019-11-27T11:09:35.0394040Z INFO : Failed to connect using proxy '192.168.172.204:8080' with error: WinHttpSendRequest failed: certificate check failure
If that is not the case then please find the Sophos certificate using the Knowledge base article here and see if that is valid and up to date.
Make sure Windows updates on the device are up to date.
I spoke to my colleague who looks after the firewalls and they said that they added the URL from the error logs into the Sophos Web Appliance, although Sophos was already showing as a trusted site.
I have tried to update endpoint again but still fails. I have tried to reboot the laptop too same msg.
I have navigated to SSL Certificate, the address it gave me was https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com/sophos/management/ep
Opened the link and Sophos Web appliance came up with a msg saying blocked request unable to verify certificate, which from reading the article provided is as its suppose to happen.
Downloaded the certificate valid from 2017 to 2027.
I have tried to update the endpoint again still failing.
If this issue still exists after certificate updates and there is no windows updates pending, better to open a ticket with support for further investigation. Please create a new ticket, upload the logs and refer this community Link so that an available engineer can assist you further.