Windows 7 64bit and Sophos 9.7 Problem

Any chance that the Win7 clients appear twice in the console?

Upon receiving the updating policy the client reports compliant (unless it is configured from the CID by means of sauconf.xml and the policies don't match). After that the flag is set to non-compliant when either the policy has been changed in SEC or the policy has been changed (manually or sauconf.xml) on the client. 

Christian 

No the Win 7 machines only appear once in the group.

There is no sauconf.xml file in either cid. 

I have moved the Win 7 pcs into a new test group and they have updated to 9.7 to comply with the policy. If i then set up the synchronisation with AD on the orinal synched OU again so the Win7 machines get moved back into the synced OU group the problem occurs again after the next scheduled update and they revert to 9.5

To mkae sure I understand this correctly:

Theres a console group - say - S97 which is sync'ed with some OU in AD. Are the XP and Win7 machines in the same OU (should be as you said the PCs are in the same group)? Or does S97 contain subgroups mirroring the OUs in AD?

Christian   

Hi Christian

Yes the group is like this

Building Name

                IT Workstations

                Training Room Pc's

The above group Building name and subset groups are synched with the OU structure from AD.

The XP machines and Win 7 machines that I spoke about earlier are in the IT Workstations OU and corresponding group using the policy for 9.7.  XP machines all upgraded fine but Win 7 machines are downgrading to 9,5.

I initially thought it was a conflict of policies as I had set IT Workstations group to use a policy for 9.7 but the Building name which it is a subset of, was using a 9,5 policy.  But now Building Name group and groups below are all using a 9.7 policy.  Every XP machine as a member of this top level group and below has now upgraded to 9.7 correctly but the Win 7 machines are still reverting to 9.5 while apparantly reporting to Econsole that they are compliant with the policy, yet having a different primary update server, pointing at the 9.5 cid

The (sub) groups are independent but newly discovered groups inherit the policies of their parent. The policy for a client is the one of the "lowest" group it is in - there is no conflict (as long as a machine does not belong to more than one sync'd OU of course).

I'd check the database with SQL for multiple occurrences of the (Win7) clients based on Jak's example in this post:

SELECT 	c.Name,
	c.Description, 
	c.DomainName, 
	c.OperatingSystem, 
	c.Managed, 
	c.Deleted, 
	c.Connected, 
	c.insertedat, 
	c.IdentityTag, 
	c.DNSName,
	c.IPAddress,
	c.MessageSystemAddress,
	cgm.GroupID,
    g.Name
FROM [SOPHOS47].[dbo].[ComputersAndDeletedComputers] as c
    inner join [SOPHOS47].[dbo].[ComputerGroupMapping] as cgm on cgm.ComputerID = c.id
    inner join [SOPHOS47].[dbo].[Groups] as g on g.id = cgm.GroupID
where c.Name in(
	SELECT  c.Name 
	FROM [SOPHOS47].[dbo].[ComputersAndDeletedComputers] as c
	GROUP BY c.name
	HAVING ( COUNT(c.name) > 1)
)
order by c.name

Perhaps you could modify the WHERE clause to select one or more of the Win7 clients by name (WHERE c.Name LIKE ....)

Christian

Hi Christan,

I got one of the more SQL savvy guys to check the Sophos SQL express database using the query that you provided.

There is no entries for any of the Win 7 machines in ComputersandDeletedComputers

If he used the original (and not WHERE Name =) this means the computers appear only once in the database and is expected in this case. To make sure I haven't made a typo (although I ran it here) he should select one of the clients by name.

Think I'm out of ideas (except for tracing the exchange between SEC and client and/or turning debug on for the SEC) and time for this week . Sorry I couldn't help so far.

Christian

Hi Christian,

I've taken up a lot of your time so far. Thanks for that.  Maybe I'll re-visit this on Monday.  Have a good weekend.

thanks

Trevor

Hello Trevor,

don't mention it. Well, it kept haunting me and I have the feeling that something's missing or I misinterpreted some of your information. Indeed taking all together it doesn't seem possible.

So it's probably better to approach this from a different direction. Thinking about it - that the client allegedly complies but uses the wrong CID is indeed possible if  iconn.cfg is modified "outside" Sophos (i.e. not by using the GUI, RMS or the SAUConfigDLL.SAUConfig object). Thus I'd use Sysinternal's Process Monitor to find out who's accessing iconn.cfg and (potentially) modifying it. I might be on the wrong track but I think it's worth a try.

Christian

Hi Christian,

My pc is one of the Win 7 machines affected so iconn.cfg is not being changed manuallly. 

Just tried it again there.  Here is the sequence of events.

Manually run setup from 9.7 cid.

Downloads version 9.7 to product cache and updates.  Skips installation of Autoupdate and RMSNT.  Client is upgraded to version 9.7 but saying Primary update server is the 9.5 cid still.

After a re-boot the client checks for update, installs Autoupdate and RMSNT and then downgrades to version 9.5.

Econsole reports that client differs from policy but instruction to comply with updating policy has no effect