This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint not updating & services not running

Hi Sophos

I have a laptop that I was going to encrypt using Sophos Central, but noticed that in Sophos Central that it was reporting several errors with services not running.

Checking the services on the device showed that Device Control Service and Sophos Anti-Virus was not running.

Did a quick google and saw from Sophos EHS KB Article was to disable the Sophos Autoupdate service then rename the cache files then delete the .xml file from the autoupdate folder.

I then started the service again then went to update the Sophos endpoint. But the endpoint now does not update, it says update failed.

 

Tried changing the proxy in internet settings to see if it would come back up but left it several minutes and no changes.

I have logs have the errors if needs be.

I hope you can help, because as the client that uses this machine will be needing the laptop by next week wednesday to work from home. 



This thread was automatically locked due to age.
Parents
  • Hi Samuel,

    Can you please check on Sophos central dashboard for this computer, under STATUS tab please check which services are failing.

    Also, see the AVREMOVE.TXT file from C:\Windows\Temp or %temp% folder to see if any third party application is blocking the installer.

  • Hi there thank you for your response.

    I have gone to the status under the device.

    Please see attached snippet from the Sophos Central.

    I have looked to see if i can see the test file under Windows\Temp on C drive. Enabled show hidden files but I cannot see this file you describe AVREMOVE.TXT

  • Hi there I have checked under the users directory \users\appdata\local\temp. Searched under my username and the end users profile for the avremove.txt file nothing there tried searching too. I do have error logs from the troubleshooter from within the Sophos Endpoint client if that helps?

  • Sure, Please see the error logs and copy and paste here.

    Also you can try the below steps,

     · Disable tamper protection on the endpoint
    · Sophos central- endpoint protection- computer- tamper protection- show password- copy
    · Go to the endpoint- put admin password - settings -check override policy- turn off tamper protection
    · Stop auto-update service
    · Rename decoded folder C:\ProgramData\Sophos\AutoUpdate\Cache\decoded
    · Rename warehouse folder C:\ProgramData\Sophos\AutoUpdate\data
    · Rename SophosUpdateStatus.xml C:\ProgramData\Sophos\AutoUpdate\data\status
    · Start auto-update service
      Push Update again from Sophos GUI
    · Reboot the computer and wait for the update to complete.

     

  • Hi 

    I have ran this three times still does not update. Just says in Sophos endpoint that the update has failed.

    This is before I rebooted then I tried updating after reboot same result.

  • Hi Samuel,

    Please find the  SophosUpdate.log and cloud install log to see if you can find any errors. You can search with keywords "failed" and  "Error"

     

    Location: Sophos Autoupdate: C:\ProgramData\Sophos\AutoUpdate\Logs, 

    C:\ProgramData\Sophos\CloudInstaller\Logs

  • Here are the other files from the autoupdate folder, i was only able to upload the txt files any other format would not work. I did try archiving them but it would keep coming up with a error 6443.susvc.log3362.SophosUpdate.log4617.alc.log

  • Hi Samuel,

     

    Here is the error, please check your Firewall the Sophos Domains are whitelisted from the Firewall and allowed via proxy if you are using a Proxy server. 

     

    2019-11-27T11:09:34.8668259Z INFO : Opening connection to dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
    2019-11-27T11:09:34.8678213Z INFO : Sending request for connection confirmation through potential proxy
    2019-11-27T11:09:34.8678213Z INFO : Request content size: 0
    2019-11-27T11:09:35.0014633Z INFO : ValidateFileCertificateCheck: Validate certificate against file on WINHTTP_CALLBACK_STATUS_SENDING_REQUEST
    2019-11-27T11:09:35.0323796Z INFO : Subject certificate failed validation against root CA: SophosCA1
    2019-11-27T11:09:35.0333789Z INFO : Subject certificate failed validation against root CA: SophosCA2
    2019-11-27T11:09:35.0353990Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA3
    2019-11-27T11:09:35.0363694Z INFO : Subject certificate failed validation against root CA: Sophos SHA256 MCS Root CA4
    2019-11-27T11:09:35.0374079Z ERROR : Failed to validate server cert; terminating HTTP connection.
    2019-11-27T11:09:35.0383652Z ERROR : WinHttpSendRequest failed with certificate check failure and error 12017
    2019-11-27T11:09:35.0394040Z INFO : Failed to connect using proxy '192.168.172.204:8080' with error: WinHttpSendRequest failed: certificate check failure

     

    If that is not the case then please find the Sophos certificate using the Knowledge base article here and see if that is valid and up to date.

    Make sure Windows updates on the device are up to date.

     

  • I spoke to my colleague who looks after the firewalls and they said that they added the URL from the error logs into the Sophos Web Appliance, although Sophos was already showing as a trusted site.

     

    I have tried to update endpoint again but still fails. I have tried to reboot the laptop too same msg.

    I have navigated to SSL Certificate, the address it gave me was https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com/sophos/management/ep

    Opened the link and Sophos Web appliance came up with a msg saying blocked request unable to verify certificate, which from reading the article provided is as its suppose to happen.

    Downloaded the certificate valid from 2017 to 2027. 

    I have tried to update the endpoint again still failing.

  • Hi Samuel,

     

    If this issue still exists after certificate updates and there is no windows updates pending, better to open a ticket with support for further investigation. Please create a new ticket, upload the logs and refer this community Link so that an available engineer can assist you further.

  • Given:
    2019-11-29T14:49:03.711Z [16056] [v6.0.457.0] INFO  Setup path C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\setup.dll.
    2019-11-29T14:49:03.711Z [16056] [v6.0.457.0] INFO  Trying to load setup.dll of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.721Z [16056] [v6.0.457.0] INFO  Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\setup.dll.
    2019-11-29T14:49:03.721Z [16056] [v6.0.457.0] INFO  Trying interface IProductSetup2 of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] WARN  IProductSetup2 threw exception Could not create instance.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Creating CProductConfig interface.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Trying interface IProductSetup of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Successfully established interface IProductSetup.
    2019-11-29T14:49:39.203Z [16056] [v6.0.457.0] INFO  Reboot state: 0
    2019-11-29T14:49:39.203Z [16056] [v6.0.457.0] WARN  Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.

    is appears that SophosUpdate.exe is loading the setup DLL of SAV to help it install the SAV component.

    As AutoUpdate runs as SYSTEM, do you not have SAV install logs under \windows\temp\ at this time?

    If so, can you attach them?

    Regards,
    Jak

Reply
  • Given:
    2019-11-29T14:49:03.711Z [16056] [v6.0.457.0] INFO  Setup path C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\setup.dll.
    2019-11-29T14:49:03.711Z [16056] [v6.0.457.0] INFO  Trying to load setup.dll of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.721Z [16056] [v6.0.457.0] INFO  Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\setup.dll.
    2019-11-29T14:49:03.721Z [16056] [v6.0.457.0] INFO  Trying interface IProductSetup2 of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] WARN  IProductSetup2 threw exception Could not create instance.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Creating CProductConfig interface.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Trying interface IProductSetup of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.
    2019-11-29T14:49:03.725Z [16056] [v6.0.457.0] INFO  Successfully established interface IProductSetup.
    2019-11-29T14:49:39.203Z [16056] [v6.0.457.0] INFO  Reboot state: 0
    2019-11-29T14:49:39.203Z [16056] [v6.0.457.0] WARN  Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.3.441.

    is appears that SophosUpdate.exe is loading the setup DLL of SAV to help it install the SAV component.

    As AutoUpdate runs as SYSTEM, do you not have SAV install logs under \windows\temp\ at this time?

    If so, can you attach them?

    Regards,
    Jak

Children
No Data