Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Suggested Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 121154 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com∕update.

Paul Hutchings

We see this a fair bit for no obvious reason and no common reason i.e. mix of clients, mix of locations, internet access works.

Doesn't appear to have any practical impact other than being an annoyance in the logs.

Any ideas what's causing it please?



This thread was automatically locked due to age.
  • 0 in reply to EricCrawford

    Maybe the firewall was updated with a fixed "identity"? 

    I believe that AutoUpdate might be switching over to HTTPS in the not too distant future so that should help with this sort of thing generally unless of course you're also doing SSL inspection.

    Regards,
    Jak

  • 0 in reply to jak

    I'll check into that.  Thanks for the info!

  • 0 in reply to EricCrawford

    I am a new Sophos customer and I have not been able to get a single installation to work yet. I keep getting this error. I have tried all of the steps mentioned in this blog and a few others too. Has there been any further development on this issue?

    Everything appears to install fine and the dashboard says that everything is great, then about 15 min later I get a message saying the unit is unprotected and the "Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com" message is in the event window.

    Any help would be appreciated.

    Patrick

  • 0 in reply to Patrick Mulvehill

    Can you Pastebin or share out your SophosUpdate.log from the \progradata\sophos\autoupdate\logs directory?

  • 0 in reply to Patrick Mulvehill

    Hi Patrick,

    2017-05-19T17:47:23.551Z [13340] ERROR ProductInstaller::RunUpdateCheck Endpoint is not currently updateable. Aborting endpoint update
    2017-05-19T17:47:23.551Z [13340] INFO ProductInstaller::RunUpdateCheck Endpoint must be rebooted.

    ..

    2017-05-19T17:47:23.555Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5

    I believe the first check which has resulted in:

    Endpoint is not currently updateable

    is if the process (SophosUpdate.exe) can open the key:
    hklm\system\currentcontrolset\service\sophos autoupdate service

    I think it then goes on to query the description value and maybe set it.

    The process that kicks of SophosUpdate is the Sophos AutoUpdate service (alsvc.exe).  This runs as system and so does sophosupdate as a child process so I don't know why it would have issues.

    I would start by checking:

    1. The Sophos AutoUpdate service is running as system user 

    2. SophosUpdate.exe when launched is running as System.  

    Process Explorer from Sysinternals would be good for these checks.

    3. Check the above key, specifically for the effective rights of the System user.

    Beyond that, have you tried restarting the computer given the next line:
    Endpoint must be rebooted.

    Maybe do that first and then the above.

    Regards,

    Jak

     

  • 0 in reply to jak

    After lots of testing over the weekend, it appears that my Sonicwall Gateway protection software sees everything that Sophos does as a threat. I am trying to fight through all of the different threat alerts to whitelist the traffic, but it is taking a lot of time. I will post an update if that ends up fixing everything.

    Meanwhile, I have one computer that I want to try uninstalling and reinstalling the agent on. However, it says that I can't because tamper protection is on. The problem is that even after turning the protection off, it still won't uninstall. Any tips on how to remove a stubborn instance of the agent?

    Patrick

  • 0 in reply to jak

    Hello Jak,

    Where is Sophos at with SonicWALL to resolve this false positive? This thread is over 6 months old yet it is still happening (brand new customer here, ran into the same issue).

    Thanks,

    Karl

  • 0 in reply to Karl Julson

    I suspect you'd have to get in touch with SonicWall if there rules keep detecting legitimate files.  I'm not familiar with their products but maybe you can make exclusions from the Sophos domains sophosupd.com and sophosupd.net to prevent it happening in the meantime.

    A quick search on Google turned up this page:

    https://support.sonicwall.com/kb/sw7833

    If you can download the blocked file and send it to them with details of the detection rule it fired on that should get things rolling.

    Regards,

    Jak

     

     

     

     

Unfiltered HTML