Hi,
some colleagues reported network / soft-phone interruptions during the last days.
Today i picked one computer and found a lost heartbeat at 14:42 - the time where his phone call was interrupted.
I found out, hat SED64 and NTP64 had been updated on the client:
--------
SophosUpdate.log
2022-01-24T13:41:27.083Z [18548:18984] I Beginning decode
2022-01-24T13:41:35.839Z [18548:18984] I [SUL-Log] [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/ntp64/2022012401.ips
2022-01-24T13:41:36.447Z [18548:18984] I [SUL-Log] [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/sed64/Config/BehavioralRules/behave.dec
2022-01-24T13:41:38.372Z [18548:18984] I [SUL-Log] [I39856] Purging file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded/ntp64/2022011801.ips
...
2022-01-24T13:42:04.390Z [18548:18984] I Installing component 1129226C-32AB-4B72-85E1-A9CC8DFBC859 (sed64) 3.0.1.873
...
2022-01-24T13:42:19.962Z [18548:18984] I Installing component NTP64 (ntp64) 1.15.783.0
-
SntpService.log:
2022-01-24T05:36:20.222Z [ 4724: 8244] A Starting a DetectionReporter thread: 8244
2022-01-24T13:42:25.545Z [ 4724: 4728] A The service has stopped.
2022-01-24T13:42:27.672Z [21940:22236] A Starting version 1.15.783.0 of the Sophos Network Threat Protection service.
2022-01-24T13:42:33.501Z [21940:22740] A Starting a DetectionReporter thread: 22740
---------
To me it looks like there is a new IPS policy pulled by Sophos Update Service: ntp64/2022012401.ips and does it needs to re-install NTP service to apply new IPS policies?
Is my thinking correct and is that the normal behaviour?
Do you have on your screen, that this (NTP restard) causes a Heartbeat failure for synchronized security with Sophos Firewall? Isn't it possible to update policies in a better, non-interruptive approach?
I mean, updating IPS patterns on XG and UTM is also causing this kind of trouble especially on smaller appliances but it's not the smartest way to drop connections for updates.
This thread was automatically locked due to age.