The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article explains how to troubleshoot the most common problems which can occur with the managed installation of Sophos Endpoint Security and Control using Sophos UTM 9.
Known to apply to the following Sophos product(s) and version(s) Sophos UTM v9UTM Managed Endpoint (Windows 2000+)
Select from the links provide below which you wish to troubleshoot:
Sophos Endpoint Bootstrap_timeanddate.txt Sophos Extract Log_timeanddate.txt
During installation, the Sophos Management Communication System may fail to register with Sophos LiveConnect to obtain the update source and credentials required.
This means that the Sophos Endpoint Security and Control installation fails to update, as the primary update location shows no configured address or username/password details (to check open Sophos Endpoint Security and Control and click on 'Configure Updating'). Example:
If the details are blank, follow the steps in article 118987.
If the endpoint has successfully registered with the Sophos LiveConnect, the primary update location within Sophos AutoUpdate will be configured with the centrally configured updating policy. See article 11056 for further information on how to verify the location set for updating.
The address set should contain: http://d3.sophosupd.com/update
If the address and credentials are configured, check the Sophos AutoUpdate log for further errors.
For invalid or expired credentials, the log will say “unable to authenticate user”. Please check if the Endpoint Client is linked to an UTM with a valid license. If the Endpoint Client is no longer linked to a valid UTM, please re-install the Endpoint Client with an installer downloaded from a valid UTM you want the Endpoint Client to connect to.
For connection problems to the warehouse, the log will say “cannot find <IP-address/Hostname>". Please check if the Endpoint Client is able to connect the Internet on port 80.
See article 43391 for further information.
If the address is blank, see section Endpoint fails to register.
If the endpoints have been protected with the installer package and are not displayed on the status page within the UTM, check the following for any errors:
MCSAgent.log and MCSClient.log files. See article 43391 for their folder locations.
As part of the initial registration with Sophos LiveConnect, the endpoint will receive a MCS ID as an endpoint identity. You can verify the identity by checking the MCSClient.log, which may be renamed to MCSClient.log.1 over a period of time.
This will then help assist troubleshooting within the UTM Endpoint Protection Live Log, if there are no errors shown within the MCS logs.
Within the MCS client logs if there are successful connections you will see:
2012-06-20T11:17:37.428Z [ 1960] INFO StatusHandler::SendData About to send the request to the server. 2012-06-20T11:17:37.428Z [ 1960] INFO HttpServer::SendRequest The HTTP request was initiated successfully. 2012-06-20T11:17:37.646Z [ 3028] INFO HttpServer::HttpEventCallback The HTTP request completed with status 200.
However, if there an error you may see some warnings like:
2012-06-20T13:44:24.195Z [ 3660] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0. 2012-06-20T13:44:24.195Z [ 3660] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.
Within the UTM dashboard, select 'Endpoint Protection' from the left-hand pane and then select 'Open Endpoint Protection live log'.
Verify whether there is any data shown for the MCS id of the endpoint affected or any other connection issues with Sophos LiveConnect.
You can see a historic log for the endpoint protection by choosing 'Logging & Reporting' from the left-hand pane in the dashboard and then select 'View Log Files'. You can select Live Log or View for the Historic log.
If there is a connection issue you may see an error log:
2012:06:22-11:38:19 v9 epsecd: 5. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm 2012:06:22-11:38:19 v9 epsecd: 6. main::top-level:62() client.pl 2012:06:22-11:38:19 v9epsecd: |========================================================================= 2012:06:22-11:38:19 v9 epsecd: E id="4281" severity="critical" sys="System" sub="epsecd" name="No internet connection. at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 89." effect="Can't talk to Sophos LiveConnect" 2012:06:22-11:38:19 v9 epsecd:
If you encounter any errors or warnings within the logs above, confirm:
The endpoints have access to port 443 and can access to the Sophos LiveConnect address as shown in 118987.
The UTM has a connection to the Sophos LiveConnect, if there are connection issues or if you need further assistance contact Sophos Technical Support.
When running the installation package, there is a tick box for 'Remove conflicting third-party security software'. When this option is selected the Sophos Installation will attempt to remove any detected third-party security software which will prevent the Sophos installation package from completing.
If there is a problem with detecting or removing, please see the avremove.log for more details.
The log is located in the temp folder of the users profile in which the installation was ran.
Navigate to Start > Run, enter %temp% and select "ok" to see the file. See article 112662 for more information on list of supported products for detection.
Download the Sophos Diagnostic Utility from article 33533 and run the affected endpoint to capture the required logs for Sophos Technical Support.
Within the UTM dashboard select Endpoint Protection from the left-hand pane and then select 'Open Endpoint Protection live log'.
You can see a historic log for the endpoint protection by choosing Logging & Reporting from the left-hand pane in the dashboard and then select 'View Log Files'. You can select Live Log or View for the Historic log.
If there are any errors or warnings shown, copy and paste from the UTM logs and send to Sophos Technical Support.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.