Security center shows virus protection is "out of date"?

Hi,

Do you know what was the last install time of a new update?  You can find it if you open up the main interface and choose "View product information".  If you expand Software under the "Anti-virus and HIPS" section, there is a "Last updated" value.  Is that recent also, the other times are just checks rather than install times?

Thanks,

Jak

Last updated date is showing as 28/10/2010 07:47:50

I'm no IT guy though... does this mean I need to update something (and how)?

So it looks like either:

1. Installs of SAV are failing, or

2. Your update location is not being updated.  If the update location isn't being updated, AutoUpdate on the clients would check centrally and see there was nothing to do.  So you would get a recent "check" time as you are but there be nothing new to install, hence an old install time.

To determine if it's the first, can you paste the last update history from alc.log.  To do so:

1. Open up SAV on the client.

2. Click "View updating log".

3. In the ALC log viewer, the start of an update will show as:

If it's reason 2, i.e. the update location is just not being updated...

Is the machine updating from a central installation directory as managed by Sophos Update Manager (SUM) and Enterprise Console (SEC)?  If so, can you check if the the location is being updated?  A recent .ide file in the central installation for example.

Thanks,

Jak

Time: 10/11/2010 05:21:55Message: AutoUpdate finishedModule: ALUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:55Message: Installation of Sophos AutoUpdate skippedModule: ALUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:55Message: Installation of SAVXP skippedModule: ALUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:55Message: Installation of RMSNT skippedModule: ALUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:55Message: Downloading phase completedModule: ALUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:54Message: Product cache update from primary server successfully finishedModule: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:54Message: Downloading product Sophos AutoUpdate from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\Module: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:53Message: Product cache update from primary server successfully finishedModule: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:53Message: Downloading product SAVXP from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\Module: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:52Message: Product cache update from primary server successfully finishedModule: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:52Message: Downloading product RMSNT from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\Module: CIDUpdateProcess ID: 2992Thread ID: 2980
Time: 10/11/2010 05:21:52Message: ***************          Sophos AutoUpdate started          ***************Module: ALUpdateProcess ID: 2992Thread ID: 2980

Server log:

Time: 10/11/2010 08:51:04

Message: WARNING: Restart needed for updates to take effect

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:51:01

Message: ERROR:   Could not find a source for updated package Sophos PureMessage

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:51:01

Message: Installation of Sophos AutoUpdate skipped

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:51:01

Message: Installation of SAVXP skipped

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:51:01

Message: Installation of RMSNT skipped

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:51:01

Message: Downloading phase completed

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:58

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:58

Message: Downloading product Sophos AutoUpdate from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:56

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:56

Message: Downloading product SAVXP from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:54

Message: Product cache update from primary server successfully finished

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:54

Message: Downloading product RMSNT from server \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

Module: CIDUpdate

Process ID: 13192

Thread ID: 14636

Time: 10/11/2010 08:50:53

Message: ***************          Sophos AutoUpdate started          ***************

Module: ALUpdate

Process ID: 13192

Thread ID: 14636

Well it looks like the client is happily "checking" for updates from:

\\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

The next question is, is:

\\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

being updated by SUM correctly?  If you look in that location and order by the file type and find the  ".ide" files, what is the most recent time?  It should be from today.  If not, you would then need to check Sophos Update Manager is ok and if that is updating from Sophos.

Also are all the clients that are working/not working using this same location?

The server is requesting a reboot but this would only be for the endpoint protection software on the machine and wouldn't affect the management of the other machines. That being said I would suggest rebooting the server if you can.  The reboot might sort out Sophos Update Manager as well if that is currently failing.  After the reboot, maybe check:
\\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\ 

15 minutes after start-up to see if a new ide has been added.  If it has, then you can force an update on your failing client and see if the new update is taken.

As a slight aside, I also notice you are getting:

"Could not find a source for updated package Sophos PureMessage"

This would suggest that PureMessage is installed on the server machine, I.e. PureMessage is registered with AutoUpdate, so AutoUpdate is looking for Spam rule updates: it won't however find them from the local CID, it would need to update from Sophos to get those or at least I think that's correct, I've not used PureMessage for quite some time.  So for the server at least you would need to configure the secondary location to be Sophos.

As there are quite a few questions outstanding and if you get stuck after the reboot it might be best to give Support a quick call mentioning you have a machine which is updating from the CID \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\ ok but the last actual install time is old.  Can they help you check that Sophos Update Manager is updating the CID correctly.

I'd also mention you have PureMessage and you'd like to check if the Spam rules are being installed and that AutoUpdate on the machine is configured correctly to obtain them.

Good luck.

Thanks,

Jak

Hi again Jak.

I checked in \\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\ and there are no .ide files... but they are all there in \\YMCA...\EECSXP\savxp

So I'm guessing the wrong directory has been set? I went to the updating configuration screen and all the details here are greyed out though...

Sorry I should have been more specific, they should be in the sub directory: savxp where you found them.

The clients should point as they do to:

\\YMCA-SVR1\SophosUpdate\CIDs\S014\EECSXP\

Jak