This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client machine not showing status on SEC

toddh over 12 years ago

Hey,

Server: MS Server 2003 32-bit

SEC: v5.0.0.8

Client: v10.0.3

Client OS: Windows 7 Pro 64-bit

I have a client machine that for some reason is not showing a status for the following categories:

Up to date

On-access

Application Control on-access

Data control scanning

Device control scanning

Tamper protection

It is showing status for the following categories:

Firewall

Patch assessment

I can't seem to pinpoint what is causing the issue.

I have had problems with the same client in the past but have somehow been successful in getting the status to show up again. This time around I am unable to get the status to come. I have tried reinstalling the client software with no luck.

I have followed the advice given in this post: No Status for On-access

I know there is communication between the client and the SEC because when I stop the "Sophos Message Router" service on the client machine the status of the client's machine shows offline on the SEC.

Is there anything further that I can do to try and figure out why the status keeps dropping out on this client machine?

Cheers

This thread was automatically locked due to age.

Parents

0 toddh over 12 years ago

Hey jak,
Well I did some hunting on the machine in question and I did find a registry backup made from CCleaner.
It has one entry pertaining to Sophos:
[HKEY_CLASSES_ROOT\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}\LocalServer32]@"="C:\\PROGRA~1\\Sophos\\SOPHOS~1\\SAVSER~1.EXE"
Not sure if this key in particular would cause the issue I am seeing.
The other thing is that this was created way back in 2010, but this problem reppeared only recently.
Now, that is not to say that the user didn't re-run CCleaner and not create a backup the this time around.
I still need to swift through the logs to see if I can find any additional information that might explain what is happening.
In the mean time to be safe I will uninstall CCleaner to rule out this application being the problem 100%
Cheers
============================================================
So I started digging through the Event Logs in Windows.
The first problem I noticed was with the "Sophos Device Control Service" complaning that it couldn't start.
When I tried starting the service I got a "....Access denied...." error message which I thought was sort of weird.
This lead me to look at the System logs in Event Viewer where I came across the following error:
Log Name: System
Source: Distributed COM
Event ID: 10016
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} and APPID
Unavailable to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
When I looked up the CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} in the registry I found the entry
Infrastructure.ComponentManager.
I looked through the registry a little more and was able to link this CLSID to the SAVservice. So as far as I can tell this CLSID is tied to Sophos.
I am not sure if this is what is causing my issue. But I think probably correcting this issue would be a good place to start.
I have a sneaking suspision that I should probably just completely blow away the installation on this computer and reinstall everything from scrach.
But I will still run through the logs and see if there is anything else.
Cheers
:24485
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 toddh over 12 years ago

Hey jak,
Well I did some hunting on the machine in question and I did find a registry backup made from CCleaner.
It has one entry pertaining to Sophos:
[HKEY_CLASSES_ROOT\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}\LocalServer32]@"="C:\\PROGRA~1\\Sophos\\SOPHOS~1\\SAVSER~1.EXE"
Not sure if this key in particular would cause the issue I am seeing.
The other thing is that this was created way back in 2010, but this problem reppeared only recently.
Now, that is not to say that the user didn't re-run CCleaner and not create a backup the this time around.
I still need to swift through the logs to see if I can find any additional information that might explain what is happening.
In the mean time to be safe I will uninstall CCleaner to rule out this application being the problem 100%
Cheers
============================================================
So I started digging through the Event Logs in Windows.
The first problem I noticed was with the "Sophos Device Control Service" complaning that it couldn't start.
When I tried starting the service I got a "....Access denied...." error message which I thought was sort of weird.
This lead me to look at the System logs in Event Viewer where I came across the following error:
Log Name: System
Source: Distributed COM
Event ID: 10016
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} and APPID
Unavailable to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
When I looked up the CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} in the registry I found the entry
Infrastructure.ComponentManager.
I looked through the registry a little more and was able to link this CLSID to the SAVservice. So as far as I can tell this CLSID is tied to Sophos.
I am not sure if this is what is causing my issue. But I think probably correcting this issue would be a good place to start.
I have a sneaking suspision that I should probably just completely blow away the installation on this computer and reinstall everything from scrach.
But I will still run through the logs and see if there is anything else.
Cheers
:24485
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data