This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Live Query Update CPU consumption and errors

Hi,

we noticed high CPU load on some servers with IX with XDR.

Today a Domain Controller, single core machine was busy for hours starting with the installation of Sophos Live Query update. After the update itself there were process running with high cpu load like SophosOsqueryExtension.exe or SophosLiveQueryService.exe.

First attempt was at 12:20, second at 14:20

SophosOsquery.log:

2021-10-15T00:51:36.257Z ---Process terminated---
I1015 02:53:33.000435 14144 interface.cpp:110] Registering extension (SophosExtension, 10046, version=3.2.1.206, sdk=4.4.0)
I1015 02:53:33.016062 11380 interface.cpp:110] Registering extension (sophosmdrextension, 25143, version=2.1.0.65, sdk=)
W1015 02:53:33.548032  2232 init.cpp:597] Error reading config: Missing config plugin 

2021-10-15T10:21:30.252Z ---Process terminated---

2021-10-15T10:26:14.727Z ---Process terminated---
I1015 14:19:11.046438  6368 interface.cpp:110] Registering extension (SophosServiceExtension, 15616, version=3.2.1.206, sdk=4.4.0)
I1015 14:19:12.178261  6452 interface.cpp:110] Registering extension (sophosmdrextension, 25168, version=2.1.0.65, sdk=)
I1015 14:19:12.215044 13120 interface.cpp:110] Registering extension (SophosExtension, 14931, version=3.2.1.206, sdk=4.4.0)
I1015 14:19:36.588044  9996 interfaces.cpp:102] Failed to retrieve network statistics for interface 1
I1015 14:19:36.744299  9996 interfaces.cpp:130] Failed to retrieve physical state for interface 1
I1015 14:19:36.775547  9996 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1
I1015 14:19:36.791172  9996 interfaces.cpp:102] Failed to retrieve network statistics for interface 13
I1015 14:19:38.275583  7508 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_ips_windows
I1015 14:20:04.570500  7508 interfaces.cpp:102] Failed to retrieve network statistics for interface 1
I1015 14:20:04.803503  7508 interfaces.cpp:130] Failed to retrieve physical state for interface 1
I1015 14:20:04.850378  7508 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1
I1015 14:20:04.866004  7508 interfaces.cpp:102] Failed to retrieve network statistics for interface 13
I1015 14:20:06.350426  7508 scheduler.cpp:127] Query pack_live_query_3_sophos_ips_windows finished after: 28080 milliseconds
I1015 14:20:06.350426  7508 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_sophos_ips_windows
I1015 14:20:06.694180  7508 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 14:20:06.787930  7508 processes.cpp:366] Failed to lookup path information for process 4
I1015 14:20:06.787930  7508 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 14:20:06.787930  7508 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 14:20:06.787930  7508 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 14:20:06.787930  7508 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 14:20:06.787930  7508 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 14:20:06.787930  7508 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 14:20:06.787930  7508 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 14:20:06.787930  7508 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 14:20:06.787930  7508 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 14:20:06.803558  7508 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 14:20:06.803558  7508 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 14:20:07.084818  7508 scheduler.cpp:127] Query open_sockets finished after: 382 milliseconds
I1015 14:20:07.084818  7508 query.cpp:117] New Epoch 1633830848 for scheduled query open_sockets
I1015 14:20:08.681063  7508 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 14:30:48.251125  4480 extensions.cpp:348] Extension UUID 14931 has gone away
I1015 15:16:03.905375  7508 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 3355209 milliseconds
I1015 15:16:04.230396  7508 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_running_processes_windows_sophos
E1015 15:16:07.290649  7508 shutdown.cpp:69] Error logging the results of query: pack_live_query_3_running_processes_windows_sophos: Extension socket not available: \\.\pipe\sophoslivequery_MgwNX22Pmq.sock.15616

2021-10-15T13:16:08.153Z ---Process terminated---
I1015 15:16:42.916321  7680 interface.cpp:110] Registering extension (SophosServiceExtension, 19468, version=3.2.1.206, sdk=4.4.0)
I1015 15:16:43.383359  1220 interface.cpp:110] Registering extension (sophosmdrextension, 25492, version=2.1.0.65, sdk=)
I1015 15:16:43.422360  6800 interface.cpp:110] Registering extension (SophosExtension, 2377, version=3.2.1.206, sdk=4.4.0)
I1015 15:16:47.160462 14144 interfaces.cpp:102] Failed to retrieve network statistics for interface 1
I1015 15:16:47.258472 14144 interfaces.cpp:130] Failed to retrieve physical state for interface 1
I1015 15:16:47.272472 14144 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1
I1015 15:16:47.287473 14144 interfaces.cpp:102] Failed to retrieve network statistics for interface 13
I1015 15:16:51.540437 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:26:44.964210 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 593423 milliseconds
I1015 15:26:45.026214 13580 query.cpp:122] Scheduled query has been updated: pack_live_query_3_running_processes_windows_sophos
I1015 15:27:07.499006 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:27:07.537006 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:27:07.549505 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:27:07.549505 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:27:07.549505 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:27:07.550496 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:27:07.550496 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:27:07.550496 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:27:07.550496 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:27:07.551496 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:27:07.551496 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:27:07.552496 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:27:07.552496 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:27:07.570498 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:27:07.570498 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:27:07.655519 13580 scheduler.cpp:127] Query open_sockets finished after: 144 milliseconds
I1015 15:27:07.676522 13580 query.cpp:122] Scheduled query has been updated: open_sockets
I1015 15:27:11.500754 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:28:02.400807 13580 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 50900 milliseconds
I1015 15:28:02.438808 13580 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:28:02.723834 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:28:12.626657 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 9903 milliseconds
I1015 15:28:13.748749 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:29:41.266014 13580 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 87517 milliseconds
I1015 15:29:41.304018 13580 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:29:45.385383 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:29:45.462385 13580 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 77 milliseconds
I1015 15:29:45.482385 13580 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:29:53.899271 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:29:53.963279 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:29:53.963279 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:29:53.963279 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:29:53.964278 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:29:53.964278 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:29:53.964278 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:29:53.965279 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:29:53.965279 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:29:53.966279 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:29:53.966279 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:29:53.967278 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:29:53.967278 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:29:53.985280 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:29:53.985280 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:29:54.085289 13580 scheduler.cpp:127] Query open_sockets finished after: 186 milliseconds
I1015 15:29:59.907388 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:30:00.038398 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 130 milliseconds
I1015 15:30:07.186324 13580 scheduler.cpp:112] Executing scheduled query vulnerability_outlook_flags
I1015 15:30:07.228338 13580 scheduler.cpp:127] Query vulnerability_outlook_flags finished after: 41 milliseconds
I1015 15:30:07.247329 13580 query.cpp:117] New Epoch 1633830848 for scheduled query vulnerability_outlook_flags
I1015 15:30:26.661562 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:30:31.972985 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 5311 milliseconds
I1015 15:30:32.662581 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:30:32.684434 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:30:32.685434 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:30:32.685434 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:30:32.685434 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:30:32.685434 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:30:32.685434 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:30:32.686435 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:30:32.686435 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:30:32.687435 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:30:32.687435 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:30:32.688436 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:30:32.688436 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:30:32.706436 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:30:32.706436 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:30:32.794450 13580 scheduler.cpp:127] Query open_sockets finished after: 131 milliseconds
I1015 15:30:32.871450 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:30:33.593509 13580 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 721 milliseconds
I1015 15:30:33.610509 13580 query.cpp:122] Scheduled query has been updated: pack_live_query_3_changed_files_windows_sophos
I1015 15:30:48.503453 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:30:48.676465 13580 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 173 milliseconds
I1015 15:30:48.694463 13580 query.cpp:122] Scheduled query has been updated: pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:30:49.504091 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:30:49.661098 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 157 milliseconds
I1015 15:30:59.633533 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_2_windows_event_invalid_logon
I1015 15:31:02.960021 13580 scheduler.cpp:127] Query pack_live_query_2_windows_event_invalid_logon finished after: 3326 milliseconds
I1015 15:31:02.980026 13580 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_2_windows_event_invalid_logon
I1015 15:31:03.024029 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:31:03.092046 13580 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 67 milliseconds
I1015 15:31:03.109035 13580 query.cpp:122] Scheduled query has been updated: pack_live_query_3_sophos_urls_windows
I1015 15:31:08.638104 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:31:08.672093 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:31:08.672093 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:31:08.672093 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:31:08.673094 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:31:08.673094 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:31:08.673094 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:31:08.674095 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:31:08.674095 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:31:08.675094 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:31:08.675094 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:31:08.676095 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:31:08.676095 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:31:08.720098 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:31:08.720098 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:31:08.797103 13580 scheduler.cpp:127] Query open_sockets finished after: 159 milliseconds
I1015 15:31:11.639194 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:31:11.765194 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 126 milliseconds
I1015 15:31:32.978471 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:31:33.077338 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 99 milliseconds
I1015 15:31:38.130842 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:31:38.327854 13580 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 197 milliseconds
I1015 15:31:42.596835 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:31:42.623836 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:31:42.623836 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:31:42.623836 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:31:42.624835 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:31:42.624835 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:31:42.624835 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:31:42.625835 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:31:42.625835 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:31:42.626834 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:31:42.626834 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:31:42.627835 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:31:42.627835 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:31:42.645836 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:31:42.645836 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:31:42.723842 13580 scheduler.cpp:127] Query open_sockets finished after: 127 milliseconds
I1015 15:31:49.600262 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:31:49.706159 13580 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 106 milliseconds
I1015 15:31:54.627900 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:31:54.746912 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 119 milliseconds
I1015 15:32:06.907352 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:32:06.965337 13580 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 57 milliseconds
I1015 15:32:15.924393 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:32:15.959398 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:32:15.959398 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:32:15.959398 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:32:15.959398 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:32:15.960397 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:32:15.960397 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:32:15.960397 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:32:15.961398 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:32:15.961398 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:32:15.961398 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:32:15.962399 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:32:15.962399 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:32:15.985399 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:32:15.985399 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:32:16.062404 13580 scheduler.cpp:127] Query open_sockets finished after: 136 milliseconds
I1015 15:32:16.155414 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:32:16.259423 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 104 milliseconds
I1015 15:32:37.138183 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:32:37.243194 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 104 milliseconds
I1015 15:32:41.519100 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:32:41.650107 13580 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 131 milliseconds
I1015 15:32:49.562906 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:32:49.640911 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:32:49.641913 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:32:49.641913 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:32:49.641913 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:32:49.642913 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:32:49.642913 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:32:49.642913 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:32:49.642913 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:32:49.643913 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:32:49.643913 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:32:49.644914 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:32:49.644914 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:32:49.665916 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:32:49.665916 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:32:49.752938 13580 scheduler.cpp:127] Query open_sockets finished after: 189 milliseconds
I1015 15:32:49.859931 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:32:49.988782 13580 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 129 milliseconds
I1015 15:32:58.594552 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:32:58.736557 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 142 milliseconds
I1015 15:33:13.927160 13580 scheduler.cpp:112] Executing scheduled query vulnerability_uac_disabled
I1015 15:33:13.986164 13580 scheduler.cpp:127] Query vulnerability_uac_disabled finished after: 58 milliseconds
I1015 15:33:14.003151 13580 query.cpp:117] New Epoch 1633830848 for scheduled query vulnerability_uac_disabled
I1015 15:33:14.057227 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_access_productivity_documents
I1015 15:33:14.111227 13580 scheduler.cpp:127] Query pack_live_query_3_access_productivity_documents finished after: 54 milliseconds
I1015 15:33:14.145223 13580 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_3_access_productivity_documents
I1015 15:33:14.186236 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:33:14.239235 13580 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 52 milliseconds
I1015 15:33:20.945286 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:33:21.066295 13580 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 121 milliseconds
I1015 15:33:23.959287 13580 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:33:23.994927 13580 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:33:23.994927 13580 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:33:23.994927 13580 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:33:23.994927 13580 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:33:23.995929 13580 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:33:23.995929 13580 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:33:23.995929 13580 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:33:23.995929 13580 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:33:23.996928 13580 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:33:23.997928 13580 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:33:23.997928 13580 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:33:23.998929 13580 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:33:24.025931 13580 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:33:24.026932 13580 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:33:24.102937 13580 scheduler.cpp:127] Query open_sockets finished after: 142 milliseconds
I1015 15:33:41.514442 13580 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_ips_windows
W1015 15:34:05.386528 10412 watcher.cpp:360] osqueryd worker (11176) stopping: Memory limits exceeded: 320888832

2021-10-15T13:34:06.229Z ---Process terminated---
I1015 15:34:37.869619 10608 interface.cpp:110] Registering extension (SophosServiceExtension, 20220, version=3.2.1.206, sdk=4.4.0)
I1015 15:34:38.249662 13572 interface.cpp:110] Registering extension (sophosmdrextension, 29150, version=2.1.0.65, sdk=)
I1015 15:34:38.292652  6888 interface.cpp:110] Registering extension (SophosExtension, 747, version=3.2.1.206, sdk=4.4.0)
W1015 15:34:38.819293  9396 config.cpp:325] Scheduled query may have failed: pack_live_query_3_sophos_ips_windows
I1015 15:34:41.820823  9396 interfaces.cpp:102] Failed to retrieve network statistics for interface 1
I1015 15:34:41.921833  9396 interfaces.cpp:130] Failed to retrieve physical state for interface 1
I1015 15:34:41.936833  9396 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1
I1015 15:34:41.948835  9396 interfaces.cpp:102] Failed to retrieve network statistics for interface 13
I1015 15:34:42.193853  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:34:42.309865  4328 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 115 milliseconds
I1015 15:34:57.459303  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:34:57.524300  4328 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 65 milliseconds
I1015 15:35:03.463533  4328 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:35:03.489531  4328 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:35:03.489531  4328 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:35:03.489531  4328 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:35:03.489531  4328 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:35:03.489531  4328 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:35:03.490531  4328 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:35:03.490531  4328 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:35:03.490531  4328 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:35:03.491530  4328 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:35:03.491530  4328 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:35:03.492530  4328 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:35:03.492530  4328 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:35:03.514533  4328 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:35:03.514533  4328 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:35:03.711695  4328 scheduler.cpp:127] Query open_sockets finished after: 247 milliseconds
I1015 15:35:03.889335  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:35:09.391791  4328 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 5502 milliseconds
I1015 15:35:09.579808  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_2_vulnerability_netlogon_cve_trust_account
I1015 15:35:22.640890  4328 scheduler.cpp:127] Query pack_live_query_2_vulnerability_netlogon_cve_trust_account finished after: 13061 milliseconds
I1015 15:35:22.646893  4328 query.cpp:117] New Epoch 1633830848 for scheduled query pack_live_query_2_vulnerability_netlogon_cve_trust_account
I1015 15:35:24.467813  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:35:24.622823  4328 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 154 milliseconds
I1015 15:35:34.471964  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 15:35:34.769412  4328 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 297 milliseconds
I1015 15:35:36.473307  4328 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:35:36.508946  4328 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:35:36.508946  4328 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:35:36.508946  4328 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:35:36.509946  4328 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:35:36.509946  4328 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:35:36.509946  4328 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:35:36.519950  4328 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:35:36.519950  4328 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:35:36.520948  4328 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:35:36.520948  4328 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:35:36.521948  4328 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:35:36.521948  4328 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:35:36.541949  4328 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:35:36.542949  4328 processes.cpp:380] Failed to get cwd for 9320 with 5
I1015 15:35:36.616955  4328 scheduler.cpp:127] Query open_sockets finished after: 143 milliseconds
I1015 15:35:45.520727  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:35:45.641727  4328 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 120 milliseconds
I1015 15:35:45.643730  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 15:35:45.698732  4328 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 55 milliseconds
I1015 15:35:56.528054  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 15:35:56.716069  4328 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 187 milliseconds
I1015 15:36:06.534229  4328 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 15:36:06.665230  4328 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 131 milliseconds
I1015 15:36:09.536199  4328 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 15:36:09.607374  4328 processes.cpp:366] Failed to lookup path information for process 4
I1015 15:36:09.607374  4328 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 15:36:09.607374  4328 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 15:36:09.607374  4328 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 15:36:09.608373  4328 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 15:36:09.608373  4328 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 15:36:09.609381  4328 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 15:36:09.609381  4328 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 15:36:09.609381  4328 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 15:36:09.610373  4328 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 15:36:09.610373  4328 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 15:36:09.610373  4328 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 15:36:09.629376  4328 processes.cpp:338] Failed to get PEB UPP for 9320 with 5
I1015 15:36:09.629376  4328 processes.cpp:380] Failed to get cwd for 9320 with 5

...
...
...


I1015 16:12:59.483340 11652 scheduler.cpp:127] Query open_sockets finished after: 174 milliseconds
I1015 16:13:17.896802 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 16:13:18.740574 11652 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 842 milliseconds
I1015 16:13:31.990222 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_ioc_windows_registry_malware_sdbot
I1015 16:13:32.037086 11652 scheduler.cpp:127] Query pack_live_query_3_ioc_windows_registry_malware_sdbot finished after: 52 milliseconds
I1015 16:13:32.995754 11652 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 16:13:33.027009 11652 processes.cpp:366] Failed to lookup path information for process 4
I1015 16:13:33.027009 11652 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 16:13:33.027009 11652 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 16:13:33.027009 11652 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 16:13:33.027009 11652 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 16:13:33.027009 11652 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 16:13:33.027009 11652 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 16:13:33.027009 11652 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 16:13:33.027009 11652 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 16:13:33.027009 11652 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 16:13:33.027009 11652 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 16:13:33.027009 11652 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 16:13:33.042625 11652 processes.cpp:338] Failed to get PEB UPP for 7688 with 5
I1015 16:13:33.042625 11652 processes.cpp:380] Failed to get cwd for 7688 with 5
I1015 16:13:33.605140 11652 scheduler.cpp:127] Query open_sockets finished after: 620 milliseconds
I1015 16:13:39.036528 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 16:13:39.161532 11652 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 135 milliseconds
I1015 16:13:42.051241 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_urls_windows
I1015 16:13:42.160625 11652 scheduler.cpp:127] Query pack_live_query_3_sophos_urls_windows finished after: 110 milliseconds
I1015 16:13:56.489948 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos
I1015 16:14:16.323998 11652 scheduler.cpp:127] Query pack_live_query_3_changed_files_windows_sophos finished after: 19467 milliseconds
I1015 16:14:16.323998 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 16:14:17.152148 11652 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 827 milliseconds
I1015 16:14:17.152148 11652 scheduler.cpp:112] Executing scheduled query open_sockets
I1015 16:14:17.199028 11652 processes.cpp:366] Failed to lookup path information for process 4
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 16:14:17.214648 11652 processes.cpp:338] Failed to get PEB UPP for 7688 with 5
I1015 16:14:17.214648 11652 processes.cpp:380] Failed to get cwd for 7688 with 5
I1015 16:14:17.292774 11652 scheduler.cpp:127] Query open_sockets finished after: 136 milliseconds
I1015 16:14:25.781069 11652 scheduler.cpp:112] Executing scheduled query vulnerability_outlook_flags
I1015 16:14:25.897811 11652 scheduler.cpp:127] Query vulnerability_outlook_flags finished after: 116 milliseconds
I1015 16:14:25.899811 11652 query.cpp:122] Scheduled query has been updated: vulnerability_outlook_flags
I1015 16:14:25.927812 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
I1015 16:14:46.661126 11652 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 20737 milliseconds
I1015 16:14:47.989284 11652 scheduler.cpp:112] Executing scheduled query pack_live_query_3_sophos_ips_windows

SophosOsqueryExtension.log:

i 2021-10-15T00:03:03.544Z [11840:10032] - Extension socket: \\.\pipe\sophoslivequery_mb7qSDpVkY.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T00:03:03.545Z [11840:10032] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T00:03:03.545Z [11840:10032] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T00:03:03.545Z [11840:10032] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T00:03:03.545Z [11840:10032] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T00:03:03.545Z [11840:10032] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T00:03:03.645Z [11840:10032] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T00:03:03.694Z [11840:10032] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T00:03:03.732Z [11840:10032] - Registered Extension (SophosExtension, 29626) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension socket: \\.\pipe\sophoslivequery_U8Xeb482mq.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T00:53:32.182Z [2708:13040] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T00:53:32.983Z [2708:13040] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T00:53:32.986Z [2708:13040] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T00:53:33.054Z [2708:13040] - Registered Extension (SophosExtension, 10046) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
i 2021-10-15T12:19:11.439Z [2544:7140] - Extension socket: \\.\pipe\sophoslivequery_MgwNX22Pmq.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T12:19:11.448Z [2544:7140] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T12:19:11.448Z [2544:7140] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T12:19:11.448Z [2544:7140] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T12:19:11.448Z [2544:7140] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T12:19:11.448Z [2544:7140] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T12:19:11.469Z [2544:7140] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T12:19:12.204Z [2544:7140] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T12:19:12.227Z [2544:7140] - Registered Extension (SophosExtension, 14931) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
e 2021-10-15T12:19:56.361Z [2544:8140] - Private Usage exceeded: 157519872 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T12:19:56.361Z [2544:8140] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=1 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
e 2021-10-15T12:20:28.090Z [2544:11148] - Private Usage exceeded: 178876416 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T12:20:28.091Z [2544:11148] - Resource usage exceeded, returning rows generated so far: query_id=running_processes_windows_sophos, attempt=1 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
i 2021-10-15T13:16:43.193Z [12076:10872] - Extension socket: \\.\pipe\sophoslivequery_rtJtpyQv6T.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T13:16:43.194Z [12076:10872] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T13:16:43.194Z [12076:10872] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T13:16:43.194Z [12076:10872] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T13:16:43.194Z [12076:10872] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T13:16:43.194Z [12076:10872] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T13:16:43.374Z [12076:10872] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T13:16:43.414Z [12076:10872] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:16:43.439Z [12076:10872] - Registered Extension (SophosExtension, 2377) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:16:53.846Z [12076:13856] - Resetting JRL attempt counter: query_id=running_processes_windows_sophos [OsqueryJournalEventGenerator.cpp:151 OsqueryJournalEventGenerator::GetJournalEvents]
e 2021-10-15T13:33:53.174Z [12076:2876] - Private Usage exceeded: 204029952 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T13:33:53.175Z [12076:2876] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=2 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
i 2021-10-15T13:34:38.142Z [13292:2748] - Extension socket: \\.\pipe\sophoslivequery_W8nXYi1jUO.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T13:34:38.143Z [13292:2748] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T13:34:38.143Z [13292:2748] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T13:34:38.143Z [13292:2748] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T13:34:38.143Z [13292:2748] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T13:34:38.143Z [13292:2748] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T13:34:38.239Z [13292:2748] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T13:34:38.280Z [13292:2748] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:34:38.315Z [13292:2748] - Registered Extension (SophosExtension, 747) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension socket: \\.\pipe\sophoslivequery_puDVl1akFe.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T13:40:34.959Z [2968: 628] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T13:40:35.056Z [2968: 628] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T13:40:35.101Z [2968: 628] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:40:35.131Z [2968: 628] - Registered Extension (SophosExtension, 13506) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
e 2021-10-15T13:41:41.235Z [2968:8592] - Private Usage exceeded: 158453760 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T13:41:41.235Z [2968:8592] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=3 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
e 2021-10-15T13:52:16.707Z [2968:1732] - Private Usage exceeded: 184889344 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T13:52:16.707Z [2968:1732] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=4 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension socket: \\.\pipe\sophoslivequery_Y0Z8rtNpJw.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T13:52:52.995Z [13788:13224] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T13:52:53.001Z [13788:13224] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T13:52:53.169Z [13788:13224] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:52:53.225Z [13788:13224] - Registered Extension (SophosExtension, 16052) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension socket: \\.\pipe\sophoslivequery_nepxXZSRrq.sock [Extension.cpp:116 ExtensionRunner]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension cache entry limit: 1000 [Extension.cpp:117 ExtensionRunner]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension resource usage limit: 262144000 bytes and resource check frequency: 50 rows [Extension.cpp:120 ExtensionRunner]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension internal flag: 0 [Extension.cpp:121 ExtensionRunner]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension max JRL attempts: 10 [Extension.cpp:122 ExtensionRunner]
i 2021-10-15T13:57:53.659Z [11216:5088] - Extension JRL memory limit: 157286400 [Extension.cpp:123 ExtensionRunner]
i 2021-10-15T13:57:53.764Z [11216:5088] - SED sync comms initialized [Extension.cpp:143 ExtensionRunner]
i 2021-10-15T13:57:53.800Z [11216:5088] - Starting Extension (SophosExtension) [OsqueryExtension.cpp:94 OsquerySDK::internal::Extension::Start]
i 2021-10-15T13:57:53.822Z [11216:5088] - Registered Extension (SophosExtension, 22816) [OsqueryExtension.cpp:124 OsquerySDK::internal::Extension::Start]
e 2021-10-15T14:02:10.677Z [11216:4492] - Private Usage exceeded: 180285440 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T14:02:10.678Z [11216:4492] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=5 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]
e 2021-10-15T14:15:47.720Z [11216:12632] - Private Usage exceeded: 218484736 > 157286400 [ResourceUsageHelper.cpp:33 ResourceUsageHelper::CheckIfExceeded]
i 2021-10-15T14:15:47.738Z [11216:12632] - Resource usage exceeded, returning rows generated so far: query_id=sophos_ips_windows, attempt=6 [OsqueryJournalEventGenerator.cpp:133 OsqueryJournalEventGenerator::GetJournalEvents]

SophosMTRExtension.log:

2021-10-15T02:03:03.556+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T02:03:03.640+0200	info	sophos.logger	default logger updated
2021-10-15T02:03:03.640+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T02:03:03.640+0200	info	sophos	Registering sophosmdrextension
2021-10-15T02:51:25.671+0200	error	sophos	server run error: extension ping failed: i/o timeout
2021-10-15T02:53:32.265+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T02:53:32.349+0200	info	sophos.logger	default logger updated
2021-10-15T02:53:32.349+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T02:53:32.349+0200	info	sophos	Registering sophosmdrextension
2021-10-15T14:19:11.451+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T14:19:12.160+0200	info	sophos.logger	default logger updated
2021-10-15T14:19:12.160+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T14:19:12.160+0200	info	sophos	Registering sophosmdrextension
2021-10-15T15:16:43.233+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T15:16:43.365+0200	info	sophos.logger	default logger updated
2021-10-15T15:16:43.365+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T15:16:43.365+0200	info	sophos	Registering sophosmdrextension
2021-10-15T15:34:38.148+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T15:34:38.233+0200	info	sophos.logger	default logger updated
2021-10-15T15:34:38.233+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T15:34:38.233+0200	info	sophos	Registering sophosmdrextension
2021-10-15T15:39:42.038+0200	error	sophos	server run error: extension ping failed: i/o timeout
2021-10-15T15:40:34.968+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T15:40:35.050+0200	info	sophos.logger	default logger updated
2021-10-15T15:40:35.050+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T15:40:35.050+0200	info	sophos	Registering sophosmdrextension
2021-10-15T15:52:53.029+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T15:52:53.133+0200	info	sophos.logger	default logger updated
2021-10-15T15:52:53.133+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T15:52:53.133+0200	info	sophos	Registering sophosmdrextension
2021-10-15T15:57:04.187+0200	error	sophos	server run error: extension ping failed: i/o timeout
2021-10-15T15:57:53.668+0200	info	sophos.logger	logging configured	{"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
2021-10-15T15:57:53.759+0200	info	sophos.logger	default logger updated
2021-10-15T15:57:53.759+0200	info	sophos	Sophos MTR Extension 2.1.0.65 - Commit 4cf9e440aedc818512dbfeb5f63d3c98cc5ae4c2
2021-10-15T15:57:53.759+0200	info	sophos	Registering sophosmdrextension

Auto Update Log filtered for Query:

	Line 61: 2021-10-15T10:18:01.726Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 61: 2021-10-15T10:18:01.726Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 62: 2021-10-15T10:18:01.726Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 62: 2021-10-15T10:18:01.726Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 63: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 63: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 63: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 63: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 63: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 64: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 64: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 64: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 64: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 64: 2021-10-15T10:18:01.922Z [ 3240:12072] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 111: 2021-10-15T10:18:02.861Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 111: 2021-10-15T10:18:02.861Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 111: 2021-10-15T10:18:02.861Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 112: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 112: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 112: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 113: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 113: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 113: 2021-10-15T10:18:02.862Z [ 3240:12072] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 114: 2021-10-15T10:18:02.863Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 114: 2021-10-15T10:18:02.863Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 114: 2021-10-15T10:18:02.863Z [ 3240:12072] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 162: 2021-10-15T10:18:08.252Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 162: 2021-10-15T10:18:08.252Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 236: 2021-10-15T10:18:10.071Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 236: 2021-10-15T10:18:10.071Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 236: 2021-10-15T10:18:10.071Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 239: 2021-10-15T10:18:10.129Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 239: 2021-10-15T10:18:10.129Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 239: 2021-10-15T10:18:10.129Z [ 3240:12072] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 241: 2021-10-15T10:18:10.149Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file c63707cbfdc6a933bf4cb7f51c0cc220x000.dat: 117933 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 241: 2021-10-15T10:18:10.149Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file c63707cbfdc6a933bf4cb7f51c0cc220x000.dat: 117933 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 241: 2021-10-15T10:18:10.149Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file c63707cbfdc6a933bf4cb7f51c0cc220x000.dat: 117933 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 243: 2021-10-15T10:18:10.168Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 7f24ac62a4de8cc9817c3565eb213991x000.dat: 8217 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 243: 2021-10-15T10:18:10.168Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 7f24ac62a4de8cc9817c3565eb213991x000.dat: 8217 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 243: 2021-10-15T10:18:10.168Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 7f24ac62a4de8cc9817c3565eb213991x000.dat: 8217 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 245: 2021-10-15T10:18:10.182Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 9b0fabb2dd628d12a5cfce4e49a9f322x000.dat: 19730 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 245: 2021-10-15T10:18:10.182Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 9b0fabb2dd628d12a5cfce4e49a9f322x000.dat: 19730 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 245: 2021-10-15T10:18:10.182Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 9b0fabb2dd628d12a5cfce4e49a9f322x000.dat: 19730 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 247: 2021-10-15T10:18:10.196Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 0dcb97034e58a42ea2fbedd6a28bb918x000.dat: 29963 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 247: 2021-10-15T10:18:10.196Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 0dcb97034e58a42ea2fbedd6a28bb918x000.dat: 29963 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 247: 2021-10-15T10:18:10.196Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 0dcb97034e58a42ea2fbedd6a28bb918x000.dat: 29963 bytes: livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 249: 2021-10-15T10:18:10.212Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 87825b7cc3c776c0d70a72e8112657d6x000.dat: 5 bytes: livequery64/scheduled_query_pack_next/version.txt
	Line 249: 2021-10-15T10:18:10.212Z [ 3240:12072] [v6.7.352.0] INFO  [I19464] Syncing file 87825b7cc3c776c0d70a72e8112657d6x000.dat: 5 bytes: livequery64/scheduled_query_pack_next/version.txt
	Line 408: 2021-10-15T10:18:40.042Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 408: 2021-10-15T10:18:40.042Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 408: 2021-10-15T10:18:40.042Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.conf
	Line 409: 2021-10-15T10:18:40.051Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 409: 2021-10-15T10:18:40.051Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 409: 2021-10-15T10:18:40.051Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.manifest.dat
	Line 410: 2021-10-15T10:18:40.058Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 410: 2021-10-15T10:18:40.058Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 410: 2021-10-15T10:18:40.058Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr.conf
	Line 411: 2021-10-15T10:18:40.064Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 411: 2021-10-15T10:18:40.064Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 411: 2021-10-15T10:18:40.064Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/sophos-scheduled-query-pack.mtr-e.conf
	Line 412: 2021-10-15T10:18:40.073Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/version.txt
	Line 412: 2021-10-15T10:18:40.073Z [ 3240:12072] [v6.7.352.0] INFO  [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/livequery64/scheduled_query_pack_next/version.txt
	Line 549: 2021-10-15T10:21:18.732Z [ 3240:12072] [v6.7.352.0] INFO  Installing component LiveQuery64 3.2.1.206.
	Line 550: 2021-10-15T10:21:18.735Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\manifest.dat
	Line 551: 2021-10-15T10:21:19.830Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 551: 2021-10-15T10:21:19.830Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 551: 2021-10-15T10:21:19.830Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 552: 2021-10-15T10:21:19.846Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 552: 2021-10-15T10:21:19.846Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 552: 2021-10-15T10:21:19.846Z [ 3240:12072] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 553: 2021-10-15T10:21:19.861Z [ 3240:12072] [v6.7.352.0] INFO  setupDll='C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll'; setupExe='C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe'.
	Line 554: 2021-10-15T10:21:20.020Z [ 8796: 9680] [v6.7.352.0] INFO  Trying to load setup.dll of product LiveQuery64 3.2.1.206.
	Line 555: 2021-10-15T10:21:20.111Z [ 8796: 9680] [v6.7.352.0] INFO  Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll.
	Line 556: 2021-10-15T10:21:20.117Z [ 8796: 9680] [v6.7.352.0] INFO  Trying interface IProductSetup2 of product LiveQuery64 3.2.1.206.
	Line 559: 2021-10-15T10:23:23.720Z [ 8796: 9680] [v6.7.352.0] WARN  Failed to install product LiveQuery64 3.2.1.206.
	Line 561: 2021-10-15T10:23:24.587Z [ 3240:12072] [v6.7.352.0] INFO  Processing install failed Health event for: LiveQuery64 (Sophos Live Query (64-bit))
	Line 561: 2021-10-15T10:23:24.587Z [ 3240:12072] [v6.7.352.0] INFO  Processing install failed Health event for: LiveQuery64 (Sophos Live Query (64-bit))
	Line 563: 2021-10-15T10:23:24.588Z [ 3240:12072] [v6.7.352.0] INFO  Saving intermediate state after installing LiveQuery64
	Line 613: 2021-10-15T11:17:49.570Z [ 4240: 7536] [v6.7.352.0] INFO  Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW FIM HBT LIVEQUERY LIVETERMINAL MTD NTP SAV SDU WEBCNTRL XPD 
	Line 650: 2021-10-15T11:17:53.170Z [ 4240: 7536] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 650: 2021-10-15T11:17:53.170Z [ 4240: 7536] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 696: 2021-10-15T11:17:55.952Z [ 4240: 7536] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 696: 2021-10-15T11:17:55.952Z [ 4240: 7536] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 759: 2021-10-15T11:17:57.880Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 759: 2021-10-15T11:17:57.880Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 760: 2021-10-15T11:17:57.880Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 760: 2021-10-15T11:17:57.880Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 761: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 761: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 761: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 761: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 761: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 762: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 762: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 762: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 762: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 762: 2021-10-15T11:17:57.975Z [ 4240: 7536] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 809: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 809: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 809: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 810: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 810: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 810: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 811: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 811: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 811: 2021-10-15T11:17:58.551Z [ 4240: 7536] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 812: 2021-10-15T11:17:58.552Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 812: 2021-10-15T11:17:58.552Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 812: 2021-10-15T11:17:58.552Z [ 4240: 7536] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 860: 2021-10-15T11:18:01.021Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 860: 2021-10-15T11:18:01.021Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 880: 2021-10-15T11:18:01.805Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 880: 2021-10-15T11:18:01.805Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 880: 2021-10-15T11:18:01.805Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 881: 2021-10-15T11:18:01.815Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 881: 2021-10-15T11:18:01.815Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 881: 2021-10-15T11:18:01.815Z [ 4240: 7536] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 928: 2021-10-15T11:18:47.499Z [ 4240: 7536] [v6.7.352.0] INFO  Installing component LiveQuery64 3.2.1.206.
	Line 929: 2021-10-15T11:18:47.505Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\manifest.dat
	Line 930: 2021-10-15T11:18:48.568Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 930: 2021-10-15T11:18:48.568Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 930: 2021-10-15T11:18:48.568Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 931: 2021-10-15T11:18:48.584Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 931: 2021-10-15T11:18:48.584Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 931: 2021-10-15T11:18:48.584Z [ 4240: 7536] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 932: 2021-10-15T11:18:48.599Z [ 4240: 7536] [v6.7.352.0] INFO  setupDll='C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll'; setupExe='C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe'.
	Line 933: 2021-10-15T11:18:48.777Z [ 1380: 5440] [v6.7.352.0] INFO  Trying to load setup.dll of product LiveQuery64 3.2.1.206.
	Line 934: 2021-10-15T11:18:48.860Z [ 1380: 5440] [v6.7.352.0] INFO  Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll.
	Line 935: 2021-10-15T11:18:48.860Z [ 1380: 5440] [v6.7.352.0] INFO  Trying interface IProductSetup2 of product LiveQuery64 3.2.1.206.
	Line 938: 2021-10-15T11:19:27.261Z [ 1380: 5440] [v6.7.352.0] WARN  Failed to install product LiveQuery64 3.2.1.206.
	Line 941: 2021-10-15T11:19:27.494Z [ 4240: 7536] [v6.7.352.0] INFO  Saving intermediate state after installing LiveQuery64
	Line 964: 2021-10-15T12:17:49.706Z [13092:11208] [v6.7.352.0] INFO  Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW FIM HBT LIVEQUERY LIVETERMINAL MTD NTP SAV SDU WEBCNTRL XPD 
	Line 1001: 2021-10-15T12:17:53.249Z [13092:11208] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1001: 2021-10-15T12:17:53.249Z [13092:11208] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1047: 2021-10-15T12:17:56.372Z [13092:11208] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1047: 2021-10-15T12:17:56.372Z [13092:11208] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1110: 2021-10-15T12:17:57.651Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1110: 2021-10-15T12:17:57.651Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1111: 2021-10-15T12:17:57.652Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1111: 2021-10-15T12:17:57.652Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1112: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1112: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1112: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1112: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1112: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1113: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1113: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1113: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1113: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1113: 2021-10-15T12:17:57.742Z [13092:11208] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1160: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1160: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1160: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1161: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1161: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1161: 2021-10-15T12:17:58.244Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1162: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1162: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1162: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1163: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1163: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1163: 2021-10-15T12:17:58.245Z [13092:11208] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1211: 2021-10-15T12:18:01.027Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1211: 2021-10-15T12:18:01.027Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1231: 2021-10-15T12:18:02.104Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1231: 2021-10-15T12:18:02.104Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1231: 2021-10-15T12:18:02.104Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1232: 2021-10-15T12:18:02.117Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1232: 2021-10-15T12:18:02.117Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1232: 2021-10-15T12:18:02.117Z [13092:11208] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1279: 2021-10-15T12:18:52.604Z [13092:11208] [v6.7.352.0] INFO  Installing component LiveQuery64 3.2.1.206.
	Line 1280: 2021-10-15T12:18:52.615Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\manifest.dat
	Line 1281: 2021-10-15T12:18:53.669Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 1281: 2021-10-15T12:18:53.669Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 1281: 2021-10-15T12:18:53.669Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.manifest.dat
	Line 1282: 2021-10-15T12:18:53.684Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 1282: 2021-10-15T12:18:53.684Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 1282: 2021-10-15T12:18:53.684Z [13092:11208] [v6.7.352.0] INFO  Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.manifest.dat
	Line 1283: 2021-10-15T12:18:53.705Z [13092:11208] [v6.7.352.0] INFO  setupDll='C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll'; setupExe='C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe'.
	Line 1284: 2021-10-15T12:18:53.897Z [11112:11252] [v6.7.352.0] INFO  Trying to load setup.dll of product LiveQuery64 3.2.1.206.
	Line 1285: 2021-10-15T12:18:53.983Z [11112:11252] [v6.7.352.0] INFO  Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\setup.dll.
	Line 1286: 2021-10-15T12:18:53.992Z [11112:11252] [v6.7.352.0] INFO  Trying interface IProductSetup2 of product LiveQuery64 3.2.1.206.
	Line 1289: 2021-10-15T12:19:01.989Z [11112:11252] [v6.7.352.0] INFO  Successfully installed product LiveQuery64 3.2.1.206.
	Line 1290: 2021-10-15T12:19:02.020Z [13092:11208] [v6.7.352.0] INFO  Processing install succeeded Health event for: LiveQuery64 (Sophos Live Query (64-bit))
	Line 1290: 2021-10-15T12:19:02.020Z [13092:11208] [v6.7.352.0] INFO  Processing install succeeded Health event for: LiveQuery64 (Sophos Live Query (64-bit))
	Line 1292: 2021-10-15T12:19:02.021Z [13092:11208] [v6.7.352.0] INFO  Saving intermediate state after installing LiveQuery64
	Line 1316: 2021-10-15T13:17:50.471Z [ 1136: 4420] [v6.7.352.0] INFO  Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW FIM HBT LIVEQUERY LIVETERMINAL MTD NTP SAV SDU WEBCNTRL XPD 
	Line 1353: 2021-10-15T13:17:54.715Z [ 1136: 4420] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1353: 2021-10-15T13:17:54.715Z [ 1136: 4420] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1399: 2021-10-15T13:17:57.613Z [ 1136: 4420] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1399: 2021-10-15T13:17:57.613Z [ 1136: 4420] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1462: 2021-10-15T13:17:59.060Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1462: 2021-10-15T13:17:59.060Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1463: 2021-10-15T13:17:59.060Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1463: 2021-10-15T13:17:59.060Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1464: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1464: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1464: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1464: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1464: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1465: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1465: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1465: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1465: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1465: 2021-10-15T13:17:59.168Z [ 1136: 4420] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1512: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1512: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1512: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1513: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1513: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1513: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1514: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1514: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1514: 2021-10-15T13:17:59.716Z [ 1136: 4420] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1515: 2021-10-15T13:17:59.717Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1515: 2021-10-15T13:17:59.717Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1515: 2021-10-15T13:17:59.717Z [ 1136: 4420] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1563: 2021-10-15T13:18:01.392Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1563: 2021-10-15T13:18:01.392Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1583: 2021-10-15T13:18:01.935Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1583: 2021-10-15T13:18:01.935Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1583: 2021-10-15T13:18:01.935Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1584: 2021-10-15T13:18:01.949Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1584: 2021-10-15T13:18:01.949Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1584: 2021-10-15T13:18:01.949Z [ 1136: 4420] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1629: 2021-10-15T13:18:27.433Z [ 1136: 4420] [v6.7.352.0] INFO  Skipped installation of component LiveQuery64 3.2.1.206
	Line 1651: 2021-10-15T14:17:50.080Z [14304: 9468] [v6.7.352.0] INFO  Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW FIM HBT LIVEQUERY LIVETERMINAL MTD NTP SAV SDU WEBCNTRL XPD 
	Line 1688: 2021-10-15T14:17:54.615Z [14304: 9468] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1688: 2021-10-15T14:17:54.615Z [14304: 9468] [v6.7.352.0] INFO  Including LiveQuery64 3.2.1.206: livequery64/*
	Line 1734: 2021-10-15T14:17:57.731Z [14304: 9468] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1734: 2021-10-15T14:17:57.731Z [14304: 9468] [v6.7.352.0] INFO  [I45378] sdds.CSP_2-18-2_10-8-10-3.1: found included product LiveQuery64 3.2.1.206 path=livequery64 baseVersion= [included from product WindowsCloudServer 1.8.10.202 path=]
	Line 1797: 2021-10-15T14:17:59.340Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1797: 2021-10-15T14:17:59.340Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.CSP_2-18-2_10-8-10-3.1: looking for packages included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1798: 2021-10-15T14:17:59.340Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1798: 2021-10-15T14:17:59.340Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.CSP_2-18-2_10-8-10-3.1: looking for supplements included from product LiveQuery64 3.2.1.206 path=livequery64
	Line 1799: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1799: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1799: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1799: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1799: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1800: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1800: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1800: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1800: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1800: 2021-10-15T14:17:59.447Z [14304: 9468] [v6.7.352.0] INFO  [I49502] sdds.scheduled_qp.xml: found supplement ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next baseVersion= [included from product LiveQuery64 3.2.1.206 path=livequery64]
	Line 1847: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1847: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1847: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1848: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1848: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1848: 2021-10-15T14:17:59.981Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1849: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1849: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1849: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I95020] sdds.scheduled_qp.xml: looking for packages included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1850: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1850: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1850: 2021-10-15T14:17:59.982Z [14304: 9468] [v6.7.352.0] INFO  [I22529] sdds.scheduled_qp.xml: looking for supplements included from product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1898: 2021-10-15T14:18:01.879Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1898: 2021-10-15T14:18:01.879Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product LiveQuery64 3.2.1.206 path=livequery64
	Line 1918: 2021-10-15T14:18:02.410Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1918: 2021-10-15T14:18:02.410Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1918: 2021-10-15T14:18:02.410Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack LATEST path=livequery64/scheduled_query_pack_latest
	Line 1919: 2021-10-15T14:18:02.422Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1919: 2021-10-15T14:18:02.422Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1919: 2021-10-15T14:18:02.422Z [14304: 9468] [v6.7.352.0] INFO  [I19463] Syncing product ScheduledQueryPack NEXT path=livequery64/scheduled_query_pack_next
	Line 1968: 2021-10-15T14:18:43.965Z [14304: 9468] [v6.7.352.0] INFO  Skipped installation of component LiveQuery64 3.2.1.206

SophosOsquery.log has always reocourring errors:

I1015 16:14:17.199028 11652 processes.cpp:366] Failed to lookup path information for process 4
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:272] Failed to get PEB UPP for 4 with 0
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 312 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 312 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 408 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 408 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 496 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 496 with 5
I1015 16:14:17.199028 11652 processes.cpp:338] Failed to get PEB UPP for 592 with 5
I1015 16:14:17.199028 11652 processes.cpp:380] Failed to get cwd for 592 with 5
I1015 16:14:17.214648 11652 processes.cpp:338] Failed to get PEB UPP for 7688 with 5
I1015 16:14:17.214648 11652 processes.cpp:380] Failed to get cwd for 7688 with 5

SophosMTRExtension.log is showing this error repeatedly.

2021-10-15T15:52:53.133+0200    info    sophos    Registering sophosmdrextension
2021-10-15T15:57:04.187+0200    error    sophos    server run error: extension ping failed: i/o timeout

We're no MTR customer, why is it trying to register something with MTR all the time?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Couple of questions here:

    1) are you running Live queries against this machine?

    2) have you turned on data lake hydration?

    Based on the errors in those logs - I suggest you open a support case. We will need an SDU from the machine (Endpoint UI > About > Endpoint Self Help > SDU) and a process monitor capture to see what is going on. 

    Does the activity ever die down? 

Reply
  • FormerMember
    0 FormerMember

    Couple of questions here:

    1) are you running Live queries against this machine?

    2) have you turned on data lake hydration?

    Based on the errors in those logs - I suggest you open a support case. We will need an SDU from the machine (Endpoint UI > About > Endpoint Self Help > SDU) and a process monitor capture to see what is going on. 

    Does the activity ever die down? 

Children
  • Hi,

    thanks for your reply. We were not running queries against that machines. Data Lake uploads is enabled.I wonder if we could somehow recreate the CPU spikes caused by the updateprocess. But except restoring a VM backup I have no idea how we could do that.

    The CPU activity went normal after that hour shown in the screenshot above.

    This is still happening all the time, causing some big logs:

    SophosOsquery.log

    I1018 10:58:16.352298  7404 scheduler.cpp:112] Executing scheduled query open_sockets
    I1018 10:58:17.492595  7404 processes.cpp:366] Failed to lookup path information for process 4
    I1018 10:58:17.492595  7404 processes.cpp:338] Failed to get PEB UPP for 4 with 0
    I1018 10:58:17.492595  7404 processes.cpp:380] Failed to get cwd for 4 with 0
    I1018 10:58:17.492595  7404 processes.cpp:272] Failed to get PEB UPP for 4 with 0
    I1018 10:58:17.492595  7404 processes.cpp:338] Failed to get PEB UPP for 312 with 5
    I1018 10:58:17.492595  7404 processes.cpp:380] Failed to get cwd for 312 with 5
    I1018 10:58:17.492595  7404 processes.cpp:338] Failed to get PEB UPP for 408 with 5
    I1018 10:58:17.492595  7404 processes.cpp:380] Failed to get cwd for 408 with 5
    I1018 10:58:17.492595  7404 processes.cpp:338] Failed to get PEB UPP for 496 with 5
    I1018 10:58:17.492595  7404 processes.cpp:380] Failed to get cwd for 496 with 5
    I1018 10:58:17.492595  7404 processes.cpp:338] Failed to get PEB UPP for 592 with 5
    I1018 10:58:17.492595  7404 processes.cpp:380] Failed to get cwd for 592 with 5
    I1018 10:58:17.555094  7404 processes.cpp:338] Failed to get PEB UPP for 9356 with 5
    I1018 10:58:17.555094  7404 processes.cpp:380] Failed to get cwd for 9356 with 5
    I1018 10:58:17.680096  7404 scheduler.cpp:127] Query open_sockets finished after: 1330 milliseconds
    I1018 10:58:23.112090  7404 scheduler.cpp:112] Executing scheduled query pack_live_query_3_running_processes_windows_sophos
    I1018 10:58:23.446413  7404 scheduler.cpp:127] Query pack_live_query_3_running_processes_windows_sophos finished after: 345 milliseconds
    I1018 10:58:45.196924  7404 scheduler.cpp:112] Executing scheduled query pack_live_query_3_changed_files_windows_sophos

    MTR is showing ping failed: i/o timeout errors sometimes but now seems to have registered though we're not MTR customer.

    SophosMTRExtension.log

    2021-10-16T18:41:13.567+0200    info    sophos    Registering sophosmdrextension
    2021-10-17T02:01:25.395+0200    info    sophos.logger    logging configured    {"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
    2021-10-17T02:01:25.487+0200    info    sophos.logger    default logger updated
    2021-10-17T02:01:25.487+0200    info    sophos    Sophos MTR Extension 2.1.0.65 - Commit xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc5ae4c2
    2021-10-17T02:01:25.487+0200    info    sophos    Registering sophosmdrextension
    2021-10-17T08:21:14.467+0200    error    sophos    server run error: extension ping failed: i/o timeout
    2021-10-17T08:21:54.913+0200    info    sophos.logger    logging configured    {"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
    2021-10-17T08:21:55.015+0200    info    sophos.logger    default logger updated
    2021-10-17T08:21:55.015+0200    info    sophos    Sophos MTR Extension 2.1.0.65 - Commit xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc5ae4c2
    2021-10-17T08:21:55.015+0200    info    sophos    Registering sophosmdrextension
    2021-10-17T18:01:47.850+0200    info    sophos.logger    logging configured    {"fileName": "C:\\ProgramData\\Sophos\\Live Query\\Logs\\SophosMTRExtension.log", "maxSizeMB": 10, "maxBackups": 3, "level": "info", "maxAgeInDays": 30}
    2021-10-17T18:01:47.935+0200    info    sophos.logger    default logger updated
    2021-10-17T18:01:47.935+0200    info    sophos    Sophos MTR Extension 2.1.0.65 - Commit xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc5ae4c2
    2021-10-17T18:01:47.935+0200    info    sophos    Registering sophosmdrextension

    SophosOsqueryExtension.log

    seems OK for me

  • Case 04525567 for the SophosOsquery.log Failures

    Got update from support about the Failed to get PEB UPP, cwd and so on failures:

    GES confirmed: Failures are just resulting noisy errors from the open_sockets query. These are not an issue nor to they indicate and issue with the software however they addressed in our 2021.3 Central release. ...  they are nothing that could affect the security or the usability of the product.