Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 4215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network interruptions: Installing Sophos updates component NTP64, MCS Client, SAU

LHerzog

Hi,

some colleagues reported network / soft-phone interruptions during the last days.

Today i picked one computer and found a lost heartbeat at 14:42 - the time where his phone call was interrupted.

I found out, hat SED64 and NTP64 had been updated on the client:

--------

SophosUpdate.log

2022-01-24T13:41:27.083Z [18548:18984] I Beginning decode
2022-01-24T13:41:35.839Z [18548:18984] I [SUL-Log] [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/ntp64/2022012401.ips
2022-01-24T13:41:36.447Z [18548:18984] I [SUL-Log] [I46431] Decoding file C:/ProgramData/Sophos/AutoUpdate/Cache/decoded/sed64/Config/BehavioralRules/behave.dec
2022-01-24T13:41:38.372Z [18548:18984] I [SUL-Log] [I39856] Purging file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded/ntp64/2022011801.ips

...

2022-01-24T13:42:04.390Z [18548:18984] I Installing component 1129226C-32AB-4B72-85E1-A9CC8DFBC859 (sed64) 3.0.1.873

...

2022-01-24T13:42:19.962Z [18548:18984] I Installing component NTP64 (ntp64) 1.15.783.0

-

SntpService.log:

2022-01-24T05:36:20.222Z [ 4724: 8244] A Starting a DetectionReporter thread: 8244
2022-01-24T13:42:25.545Z [ 4724: 4728] A The service has stopped.
2022-01-24T13:42:27.672Z [21940:22236] A Starting version 1.15.783.0 of the Sophos Network Threat Protection service.
2022-01-24T13:42:33.501Z [21940:22740] A Starting a DetectionReporter thread: 22740

---------

To me it looks like there is a new IPS policy pulled by Sophos Update Service: ntp64/2022012401.ips and does it needs to re-install NTP service to apply new IPS policies?

Is my thinking correct and is that the normal behaviour?

Do you have on your screen, that this (NTP restard) causes a Heartbeat failure for synchronized security with Sophos Firewall? Isn't it possible to update policies in a better, non-interruptive approach?

I mean, updating IPS patterns on XG and UTM  is also causing this kind of trouble especially on smaller appliances but it's not the smartest way to drop connections for updates.



This thread was automatically locked due to age.
Parents
  • 0

    Hello LHerzog,

    Thanks for reaching out to us.

    You are correct, the IPS updates will trigger a re-install of the Sophos Network Threat Protection component.

    As an immediate work-around, you could apply an "Updating Policy" so that the devices will only update at the given time. You could also use "Controlled Updates" to accomplish this. 

    I will inquire with our team to find out if there are plans to change this and let you know.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Thanks for confirming the behaviour. Looking forward to your update about future plans.

  • 0 in reply to LHerzog

    yesterday NTP64, today Auto update XG (whatever this should be on a client)

    Sophos AutoUpdate XG. Product version: 6.12.86

    MCS Agent and MCS Client restarted. Causing Synced Heartbeat reset.

    If we put our clients into controlled: aka delayed updates is a bad option because it only allows one day per week to update.

    Why not allowing als many days as you like? I (probably manu admins) just don't want updates to be installed in regular work hours.

    I think MTR team also will not like this setting and it will be marked yellow or red in their next long excel report about our Central settings.

Reply
  • 0 in reply to LHerzog

    yesterday NTP64, today Auto update XG (whatever this should be on a client)

    Sophos AutoUpdate XG. Product version: 6.12.86

    MCS Agent and MCS Client restarted. Causing Synced Heartbeat reset.

    If we put our clients into controlled: aka delayed updates is a bad option because it only allows one day per week to update.

    Why not allowing als many days as you like? I (probably manu admins) just don't want updates to be installed in regular work hours.

    I think MTR team also will not like this setting and it will be marked yellow or red in their next long excel report about our Central settings.

Children
  • 0 in reply to LHerzog

    Even Heartbeat has changed today!

    .

    2022-01-25T07:44:49.391Z [ 4516: 5148] A Starting Heartbeat version 1.15.783.0
    2022-01-25T13:52:47.553Z [17084:15976]A Starting Heartbeat version 1.15.827.0
    .

    I wonder how it is possible that Sophos is sending out multiple updates a week, on different days, not even combined as one update, that are causing network interruptions if you use Sophos Hardware and Software the way you say we should do (synced security, heartbeat...). I'm really annoyed after a long day with many user complaints.

Unfiltered HTML