Event ID 5154 and Sophos Patch

I received the following advice from Sophos support which has fixed the issue.

Good day, thank you for contacting Sophos Technical Support. I have checked the log file that you sent and found the cause of this problem is that clients have been built from a disk image where the Sophos AutoUpdate machineID.txt is identical. This file should have been deleted when the image was created.

What is really bizarre is that Sophos is NOT installed until after the image is deployed. The symptons are the same and the fix worked. The only thing in common with the machines that had the issue is that Deep Freeze is on them. None of the machines that don't have Deep Freeze had an issue and NOT all the Deep Frozen machines had this issue, so I can only speculate that that it was doing an update of some description (engine maybe) when the maintenence period ended. Either way, the issue is now resolved.

What To Do

To identify computers which have duplicate machineID.txt files, the below SQL query needs to be run:

C:\OSQL -E -S .\SOPHOS

1> SELECT Name, IdentityTag FROM SOPHOS51.dbo.computersanddeletedcomputers WHERE IdentityTag="1ab1234a-a123-12a1-ab12-a12345abc1a1"

2> GO

where the IdentityTag is the ID as logged against the error in the PatchEndpointCommunicator.log or event log, for example:

2012-09-28 15:31:54 | PID 3328 | TID 25 | ID: 5154 | Severity: warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.303.0", Agent Info:"1ab1234a-a123-12a1-ab12-a12345abc1a1"

To resolve this issue follow the below steps on each identified client:

1. Stop the Sophos AutoUpdate service
2. Stop the Sophos Patch Agent service
3. Rename the below file to machine_ID.txt_old: C:\Program Files [ x86]\Sophos\AutoUpdate\data\machine_ID.txt (\ProgramData\ on Vista+)
4. Delete the below registry value: HKLM\SOFTWARE\Sophos\Sophos Patch Agent\PatchAgentId
5. Start the Sophos AutoUpdate service
6. Start the Sophos Patch Agent service
7. Once the issue is resolved the renamed file in step 3 (machine_ID.txt_old) can be safely deleted

I received the following advice from Sophos support which has fixed the issue.

Good day, thank you for contacting Sophos Technical Support. I have checked the log file that you sent and found the cause of this problem is that clients have been built from a disk image where the Sophos AutoUpdate machineID.txt is identical. This file should have been deleted when the image was created.

What is really bizarre is that Sophos is NOT installed until after the image is deployed. The symptons are the same and the fix worked. The only thing in common with the machines that had the issue is that Deep Freeze is on them. None of the machines that don't have Deep Freeze had an issue and NOT all the Deep Frozen machines had this issue, so I can only speculate that that it was doing an update of some description (engine maybe) when the maintenence period ended. Either way, the issue is now resolved.

What To Do

To identify computers which have duplicate machineID.txt files, the below SQL query needs to be run:

C:\OSQL -E -S .\SOPHOS

1> SELECT Name, IdentityTag FROM SOPHOS51.dbo.computersanddeletedcomputers WHERE IdentityTag="1ab1234a-a123-12a1-ab12-a12345abc1a1"

2> GO

where the IdentityTag is the ID as logged against the error in the PatchEndpointCommunicator.log or event log, for example:

2012-09-28 15:31:54 | PID 3328 | TID 25 | ID: 5154 | Severity: warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.303.0", Agent Info:"1ab1234a-a123-12a1-ab12-a12345abc1a1"

To resolve this issue follow the below steps on each identified client:

1. Stop the Sophos AutoUpdate service
2. Stop the Sophos Patch Agent service
3. Rename the below file to machine_ID.txt_old: C:\Program Files [ x86]\Sophos\AutoUpdate\data\machine_ID.txt (\ProgramData\ on Vista+)
4. Delete the below registry value: HKLM\SOFTWARE\Sophos\Sophos Patch Agent\PatchAgentId
5. Start the Sophos AutoUpdate service
6. Start the Sophos Patch Agent service
7. Once the issue is resolved the renamed file in step 3 (machine_ID.txt_old) can be safely deleted