Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 37 replies
  • Subscribers 1 subscriber
  • Views 52165 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 7 64bit and Sophos 9.7 Problem

Trevor

Hi,

Bit of a issue here which is baffling me.

Set up a new Subcription to 9.7 Recommended and created a new CID on AV server.

Setup a new Policy with the correct subscription which applies to a number of XP machines and 4 Windows 7 64bit machines.

The XP machines are all compliant with the new policy and have automatically upgraded from 9.5 to 9.7.

I've manually installed 9.7 to the Win 7 machines from the new CID (S002).

The issue I'm having is after 60 mins or so (automatic update schedule) the Win 7 workstations are checking for updates and then downgrading themselves back to version 9.5!

Both Win 7 and XP machines are sharing the same updating policy.

Any ideas?

:12561


This thread was automatically locked due to age.
  • 0
    Hello Trevor,

    the difference is very likely the manual install. You should check the policy compliance on the Win7 clients and whether they realy use S002. There's no way for them to downgrade other than accessing a wrong CID (which might be, BTW, the secondary update location).

    Christian
    :12567
  • 0

    Hi Christian,

    The manual install was done from the correct cid (S002) and the policy was compliant according to EConsole.  On checking the "configure updating" on the Win 7 client it was pointing at the correct CID.  When the automatic update check ran it changed back to the old cid (S00) and reverted to version 9.5.

    thanks

    Trevor

    :12569
  • 0
    Hmm ... The ALUpdate log (in %ProgramData%) contains details on the selection of the update location. Haven't seen a "switch" for no reason (i.e. usually a small mistake).

    Christian
    :12571
  • 0

    Hi,

    Couple of things worth checking:

    1. There isn't a sauconf.xml in the CID that the clients update from that is redirecting the clients back to another CID?

    2. There isn't a custom mrinit.conf in the CID that is redirecting the clients to another SEC server which is then sending down policies to redirect the clients?

    Regards,

    Jak

    :12577
  • 0

    Hi Jak,

    No there is no sauconf.xml file in the second cid and mrinit.conf refers to the correct Avserver.

    Here are the log files:

    Alc first which shows the switch from cid S002 to cid S000

    0x4 ALUpdate 0x32 0xb98 0x1 0x6 0xbdc 0x4dc26add
    0x4 CIDUpdate 0x32 0xb98 0x1 0x55 0xbdc 0x4dc26ade RMSNT \\avserver\sophosupdate\CIDs\S002\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xb98 0x1 0x23 0xbdc 0x4dc26ae4
    0x4 CIDUpdate 0x32 0xb98 0x1 0x55 0xbdc 0x4dc26ae5 SAVXP \\avserver\sophosupdate\CIDs\S002\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xb98 0x1 0x23 0xbdc 0x4dc26b19
    0x4 CIDUpdate 0x32 0xb98 0x1 0x55 0xbdc 0x4dc26b1a SophosAutoUpdate \\avserver\sophosupdate\CIDs\S002\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xb98 0x1 0x23 0xbdc 0x4dc26b1b
    0x4 ALUpdate 0x32 0xb98 0x1 0x52 0xbdc 0x4dc26b1c
    0x4 ALUpdate 0x32 0xb98 0x1 0x68 0xb28 0x4dc26b1c RMSNT
    0x4 ALUpdate 0x32 0xb98 0x1 0x2e 0xb28 0x4dc26b24
    0x4 ALUpdate 0x32 0xb98 0x1 0x68 0xad0 0x4dc26b24 SAVXP
    0x4 ALUpdate 0x32 0xb98 0x1 0x4d 0xad0 0x4dc26b4d SAVXP
    0x4 ALUpdate 0x32 0xb98 0x1 0x53 0xbdc 0x4dc26b4d SophosAutoUpdate
    0x4 ALUpdate 0x32 0xb98 0x1 0x4c 0xbdc 0x4dc26b4e
    0x4 ALUpdate 0x32 0xe38 0x1 0x6 0xe3c 0x4dc274e1
    0x4 CIDUpdate 0x32 0xe38 0x1 0x55 0xe3c 0x4dc274e1 RMSNT \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe38 0x1 0x23 0xe3c 0x4dc274e6
    0x4 CIDUpdate 0x32 0xe38 0x1 0x55 0xe3c 0x4dc274e7 SAVXP \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe38 0x1 0x23 0xe3c 0x4dc27509
    0x4 CIDUpdate 0x32 0xe38 0x1 0x55 0xe3c 0x4dc2750a SophosAutoUpdate \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe38 0x1 0x23 0xe3c 0x4dc27512
    0x4 ALUpdate 0x32 0xe38 0x1 0x52 0xe3c 0x4dc27514
    0x4 ALUpdate 0x32 0xe38 0x1 0x68 0xd58 0x4dc27514 RMSNT
    0x4 ALUpdate 0x32 0xe38 0x1 0x2e 0xd58 0x4dc27529
    0x4 ALUpdate 0x32 0xe38 0x1 0x68 0xd60 0x4dc27529 SAVXP
    0x4 ALUpdate 0x32 0xe38 0x1 0x4d 0xd60 0x4dc27567 SAVXP
    0x4 ALUpdate 0x32 0xe38 0x1 0x68 0xe34 0x4dc27567 SophosAutoUpdate
    0x4 ALUpdate 0x32 0xe38 0x1 0x2e 0xe34 0x4dc2757d
    0x4 ALUpdate 0x32 0xe38 0x1 0x4c 0xe3c 0x4dc2757d
    0x4 ALUpdate 0x32 0xff4 0x1 0x6 0xff8 0x4dc27692
    0x4 CIDUpdate 0x32 0xff4 0x1 0x55 0xff8 0x4dc27692 RMSNT \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xff4 0x1 0x23 0xff8 0x4dc27692
    0x4 CIDUpdate 0x32 0xff4 0x1 0x55 0xff8 0x4dc27693 SAVXP \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xff4 0x1 0x23 0xff8 0x4dc27693
    0x4 CIDUpdate 0x32 0xff4 0x1 0x55 0xff8 0x4dc27694 SophosAutoUpdate \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xff4 0x1 0x23 0xff8 0x4dc27694
    0x4 ALUpdate 0x32 0xff4 0x1 0x52 0xff8 0x4dc27695
    0x4 ALUpdate 0x32 0xff4 0x1 0x53 0xff8 0x4dc27695 RMSNT
    0x4 ALUpdate 0x32 0xff4 0x1 0x53 0xff8 0x4dc27695 SAVXP
    0x4 ALUpdate 0x32 0xff4 0x1 0x53 0xff8 0x4dc27695 SophosAutoUpdate
    0x4 ALUpdate 0x32 0xff4 0x1 0x7b 0xff8 0x4dc27695
    0x4 ALUpdate 0x32 0xe48 0x1 0x6 0xe4c 0x4dc276a4
    0x4 CIDUpdate 0x32 0xe48 0x1 0x55 0xe4c 0x4dc276a4 RMSNT \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe48 0x1 0x23 0xe4c 0x4dc276a4
    0x4 CIDUpdate 0x32 0xe48 0x1 0x55 0xe4c 0x4dc276a5 SAVXP \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe48 0x1 0x23 0xe4c 0x4dc276a5
    0x4 CIDUpdate 0x32 0xe48 0x1 0x55 0xe4c 0x4dc276a6 SophosAutoUpdate \\AVSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    0x4 CIDUpdate 0x32 0xe48 0x1 0x23 0xe4c 0x4dc276a6
    0x4 ALUpdate 0x32 0xe48 0x1 0x52 0xe4c 0x4dc276a6
    0x4 ALUpdate 0x32 0xe48 0x1 0x53 0xe4c 0x4dc276a6 RMSNT
    0x4 ALUpdate 0x32 0xe48 0x1 0x53 0xe4c 0x4dc276a6 SAVXP
    0x4 ALUpdate 0x32 0xe48 0x1 0x53 0xe4c 0x4dc276a6 SophosAutoUpdate
    0x4 ALUpdate 0x32 0xe48 0x1 0x7b 0xe4c 0x4dc276a7

    :12607
  • 0

    I've uploaded alupdate.log to google docs as its too big to paste here.

    no sign in required.

    thanks

    https://docs.google.com/document/d/1nY_7WE_-d_1lt1oVWLO7TqbqB-pMhoyrUkdplWX6aIU/edit?hl=en&pli=1

    :12613
  • 0

    Hello Trevor,

    at the time of the update after the install from the S002 CID (was this the "initial" update?) the update location is obviously set to S000. Did you edit the log? 'Cause the server name is avserver for S002 and AVSERVER for S000. Maybe this does ring a bell?

    As you said the XP machines do not downgrade I didn't mention sauconf.xml (although this was my first idea). Leaves SEC - are the XP and Win7 machines in the same console group?

    Christian

    :12615
  • 0

     Christian,

    The manual install was done from cid S002 (9.7) and the pc was rebooted after the install.  When it came back up I selected "update now" so it would report its status back to Econsole and it seemed to imstall RSMT again and required another re-boot.  I presume this is where it reverted to 9.5 and cid S000.

    Yes the Win 7 machines and XP machines are in the same group which has been synced with Active Directory ou.

    The avserver references is just where i have used "find and replace" to edit out the name of our AV server before posting the logs here.

    :12621
  • 0

    Thanks for the logs and the additional information. Now the alc.log says that between the initial install and the install from S000 some 40 minutes have passed. Next update was 7 minutes later (and has cleared the restart flag) and another one after 18 seconds. So it either "reverted" to S000 before the first reboot or "something" manipulated the configuration after the reboot but before AU could perform its duties - unlikely.

    Does SEC show the downgraded client as non-compliant with the updating policy (and does it show S000 in the primary location)? If you force it to comply and request an update afterwards it should then upgrade to 9.7. I have still no idea why it should affect only the Win7 machines though (except that you say you did install them manually - did they have Sophos on them before?).

    Christian

    :12625
  • 0

     Christian,

    Both the XP machines and Win 7 machines are reporting to EConsole that they are compliant with the updating policy even though they aren't!

    XP computer details screenshot:

    http://img703.imageshack.us/i/35679531.png/

    Win 7 screenshot:

    http://img809.imageshack.us/i/win7f.png/

    Note that both pcs are saying that they are compliant with updating policy, yet Win 7 machines primary update server is listed as CID S000 (version 9.5)

    thanks

    :12629
Unfiltered HTML