This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The server in which SEC is installed does not point to itself as the SUM instead it points to an old client workstation?

Background. I came into a helpdesk/entry level admin role under a year ago. about 2 months in I became responsible for watching the protection statuses of all the workstations I had admin over. In this case all workstations but no servers. The only thing I was ever taught or ever did was just check in periodically to the SEC and see what the reports were. Make sure the machines were showing up to date or if it threw the random alert clear it or respond if it found something malicious. 

Things to note. I was NOT trained in how any of the set up of SEC works nor am I part of the server's administration group were I can make changes to the local server itself.. I was assigned as Sophos Full Administrator however and provide simple maintainence duty for checking alerts and responding to reported malicious files. 

Fast forward to where recently out of the blue every single workstation was throwing a reporting alert saying the xploit prevention software was out of date. It wasn't. After speaking with support I found out these were most likely false errors. That's when I learned about the role an Update manager plays and the fact the sole workstation showing as the SUM in the Update Managers screen was a now offline client workstation. We checked the client side app on a couple of workstations and discovered that the Primary location was configured to a share folder on the same dedicated Sophos server the SEC and so was the SOPHOS cloud. With that being the case you'd think that on the Update Managers screen you'd see that same server. But you don't. Instead you only see that old offline workstation. I could not explain this nor could support really. 

Despite this revelation support still tried to configure the offline workstation showing up in the update manager list. We got a communication error of course.
After it was all said and done support pretty much said that future false alerts could happen because no client machine has a primary SUM to talk to and because of the fact that the SEC and SUM were configured to two different nodes.

My best guess is that Sophos was possibly never installed properly to begin with and that the workstation currently showing up in the SUM list was chosen at random by someone who rushed through the install. Or simply was totally OK with using the cloud sync for everything. 


My question is because I'm not all to familiar with the installation of the Enterprise console or SUM how can I delete the current and only have SEC point the server I want it to as the SUM, which in this case would be the same server the SEC is installed to. I would like to do this so I don't get a bunch of false positives like I recently had with the exploit prevention alert and because it would be nice to have something on prem in case the machines are having trouble to reaching out the online manager. *edit additional* I also consistently get wrong reports about how drivers have been bypassed or a service has stopped working but is never the case when I check the running services. A bunch of things like that are things I'm plagued with and it doesn't seem efficient to be in charge of workstation security when the tool for the job doesn't even work correctly. 

I hope I explained all that well enough and kudos to anyone who can assist. 



This thread was automatically locked due to age.
Parents
  • Hi jabaited,

    Let's tackle your issues one at a time so we don't get confused and mixed in the process.  We'll start with the highest priority one: SEC not being an Update Manager.
    Now I'm not sure how or why an old endpoint would show up here but we will want your current SEC server listed.  First verify if Sophos Update Manager is installed on this Windows server by checking Add/Remove Program (appwiz.cpl)

    1. Open up registry editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\EE\Management Tools\DatabaseUser
    2. Note down the DatabaseUserName and also make sure you have the password to this account as you will need to re-enter it during re-installation
    3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\EE\Management Tools\SumUser
    4. Note down the SumUserName for here as you will also need the username/password of this account during re-installation
    5. Uninstall Sophos Management Server and Sophos Update Manager
    6. Reboot the server
    7. Run setup.exe to reinstall all components (This file may be located under C:\sec_###\ServerInstaller\.  Make sure this version matches your current version)
    8. Reboot the server (Or log out and in if prompted after install)
    9. The SEC server should now show up under Update Managers but may need to be configured with Sophos as an update source
    10. Navigate back to Endpoints > Updating policy and set your endpoint update location to the local server's updating share (\\SECSRV\SophosUpdate)

    If SEC does not show up under Update Managers, I would run in cmd "netstat -abno C:\Windows\Temp\netstat.txt" and open this file to make sure port 51234 is not being taken by another program.

Reply
  • Hi jabaited,

    Let's tackle your issues one at a time so we don't get confused and mixed in the process.  We'll start with the highest priority one: SEC not being an Update Manager.
    Now I'm not sure how or why an old endpoint would show up here but we will want your current SEC server listed.  First verify if Sophos Update Manager is installed on this Windows server by checking Add/Remove Program (appwiz.cpl)

    1. Open up registry editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\EE\Management Tools\DatabaseUser
    2. Note down the DatabaseUserName and also make sure you have the password to this account as you will need to re-enter it during re-installation
    3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\EE\Management Tools\SumUser
    4. Note down the SumUserName for here as you will also need the username/password of this account during re-installation
    5. Uninstall Sophos Management Server and Sophos Update Manager
    6. Reboot the server
    7. Run setup.exe to reinstall all components (This file may be located under C:\sec_###\ServerInstaller\.  Make sure this version matches your current version)
    8. Reboot the server (Or log out and in if prompted after install)
    9. The SEC server should now show up under Update Managers but may need to be configured with Sophos as an update source
    10. Navigate back to Endpoints > Updating policy and set your endpoint update location to the local server's updating share (\\SECSRV\SophosUpdate)

    If SEC does not show up under Update Managers, I would run in cmd "netstat -abno C:\Windows\Temp\netstat.txt" and open this file to make sure port 51234 is not being taken by another program.

Children
  • MEric,

    Thank you for the reply.
    Unfortunately I can't open up the registry on this server due to not having local admin rights. I will however pass this information over to the senior admin and see if they can at least check and see what the registry is reading and then decide on the reinstall. 

  • Update Manager is installed to the SEC server I did confirm however

  • Does the SEC server show up with a green connected chain link or a red X next to the computer icon if you navigate to "Endpoints" in Enterprise Console?  Can you use PuTTy or Telnet client on the SEC server to attempt to connect to localhost on port 8192, 8194, and 51234?  8192 should shoot back an IOR string, 8194 should connect and disconnect with no data sent, and 51234 should request a password or show login failed.