The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
One or more endpoint computers report 'Unknown' in the 'Up to date' column, on the 'Status' tab, of the console.
First seen in Enterprise Console 4.5.0
The computer or computers reporting as 'Unknown' have a package installed that the Sophos Management Server does not know about because your authoritative Sophos Update Manager (SUM) has not reported this package to the database. This can be caused by:
Hence the console does not know anything about the package reported by the endpoint and cannot provide any information as to whether or not the computer is up to date or has a previously downloaded package (i.e., 'Not since...').
Troubleshooting the cause of this issue breaks down into:
If you have only one SUM then that will be the authoritative SUM. If you have more than one SUM you must find out which one the Sophos Management Server listens to for package information. For details on finding out the authoritative SUM see article 57638.
Once you have found the authoritative SUM you should ensure that is updating successfully and reporting to the console.
If you have configured your authoritative SUM to download from Sophos and then update a lot of distribution folders (e.g., remote shares on different computers or many local folders) this may result in endpoints reporting 'Unknown' for a period of time before showing as 'yes' in the 'Up to date' column.
Note: SUM only tells the Sophos Management Server what packages it has downloaded after fully updating all local and remote shares. This is done via a status message at the very end of the update cycle.
If SUM has to copy updates to multiple folders (local, remote, possibly over slow network links), endpoint computers can update to a newer package and report in faster than SUM can send the status message.
In this scenario we recommend you consider performing the following:
If your endpoint computers are configured to update from a secondary source, the update source contains a package that is slightly more up to date than the internal share, and the endpoint updates from the secondary source: the computer may appear as 'Unknown' in the column.
This is expected behavior. You can ignore endpoints that are moving on and off the network. However if endpoints (desktop computers), that should primarily update from an internal source, are constantly rolling over to their secondary source you should investigate why the primary location is unavailable.
Ensuring the majority of your endpoint computers can reliability update from a source controlled by a SUM reduces the number on computers that will update to a package version in advance of the SUM's schedule.
If you are unable to resolve the cause of the problem you should gather the information below and use the link at the bottom of this article to contact Technical Support.
sqlcmd -E -S .\SOPHOS -d SOPHOS51 -s , -i C:\getReportedClientVersionData.txt -o outputReportedClientVersionData.txt -y 0 -h 10000
sqlcmd -E -S .\SOPHOS -d SOPHOS51 -Q "select StatusXML from dbo.SDDMServers" -o SDDMServersStatus.txt -y 0 -h 500
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.