Client machine not showing status on SEC

Hi,

It does sound like the problem lies with the SAVAdpater (The link between SAV and the RMS, specifically the Sophos Agent service).  The SAVAdapter is resposible for gathering all the info you are missing.

You could just check that "NT AUTHORITY\System" is a member of the local "SophosAdministrator " group on the client.  As the Adapter needs to call into SAV to get the info.  If not added, add and then restart the Sophos Agent service to trigger a status message to SEC.

If not., you can increase the logging of the Management Agent (LogLevel 2 ) as per: http://www.sophos.com/support/knowledgebase/article/30496.html

Then restart the agent you should see the following lines::

T Entering void AdapterManager::LoadAdapter( std::string& SAV, std::string& C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdapter.dll)

D SAVXP Adapter: SavAdapter created

D SAVXP Adapter: ... Loading configuration

T SAVXP Adapter: Policy::ReapplyStoredPolicy(): from APPCAdapterConfig

etc..

Basically, all the lines that start "SAVXP Adapter: ",  maybe you can make this log avaialble on a file sharing site such.

Regards,

Jak

Hi jak,

I checked the local "SophosAdministrator" account and "NT AUTHORITY\System" is already a member.

I will move onto your second suggestion.

Should I use the Sophos Diagnostic Tool to collect the logs? Or is there a specific log file that I should look for?

Thank you,

Cheers

Hi jak,

I enabled the log level to 2.

I restarte the services as instructed.

I wasn't exactly sure what log file I should look at so I just started poking around.

I came across this log file: C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs

I was looking at the logs under this directory and discovered the following error:

D SAVXP Adapter: --RefreshConfigData--

E SAVXP Adapter: Failed to create instance of SAVXP Component Manager

And a few additional messages:

SAVXP Adapter: GetStatus()

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

Not sure if this error is significant in anyway but I thought I would throw it up just incase.

Hey QC,

Thanks for the reply.

So the error message that I observed isn't something that is normal?

I wasn't really sure because from time to time I come across errors using other applications

and they are considered "normal" based on certain criteria or how the application is setup.

I will take your advice and try and do some additional digging on my own!

Cheers

Hi,

E SAVXP Adapter: Failed to create instance of SAVXP Component Manager

is definitely the problem, the adapter can't speak to SAV to find out its state.

I assume if SAV is working on the client the component manager component is working?  You may want to check the Event log for errors when starting the SAV Service just to check nothing is thrown in there.  You can open the SAV GUI and makes changes to the config locally?

The component manager is a COM component served up by the componentmanager.dll as hosted by the SAVService, you can check it's installed by running dcomcnfg.  If it exists there, it's odd the ManagementAgentNt.exe process, which is running as system can't create an instance of the object. 

You mentioned you tried uninstalling and reinstalling SAV first but that didn't help?  This is quite suprising and makes me think some old registry keys relating to the components registration are left behind and are the problem.  

Maybe running Process Monitor while starting the Sophos Agent service, will show the COM based lookups taking place.  Maybe you could compare this machine with another (running the same version) at that point.

The other option is to remove everything Sophos from the machine, reboot and traul through HKCR for references to Sophos and delete them.  Once complete attempt a reinstall.

Tricky one.

Regards,

Jak

Hi jak,

Thank you for your reply.

As far as I can tell the SAV is working on the machine. And as far as I can tell all the components are working

on the machine. It is definitely a weird situation.

I will take your suggestions and start digging through the logs to see if I can figure out what is going on.

At one point yes this particular machine was showing its status correctly. I have had this issue in the past

with the particular machine (it happens to be the same user as well), but I have been able to correct it.

Now, when you started talking about the registry you got me thinking.

This particular user looks like they have installed and probably run a utility called CCleaner. This

utility (among other things) is used to clean out registry files that are deemed "unused".

I wonder if its possible that this program has removed registry keys it shouldn't have.

(don't ask why the user why the user is allowed to install an application such as this, this is a soar subject :smileyvery-happy:)

What I migth try and do after doing some digging and doing a completely fresh install of Sophos.

And then remove CCleaner so that the user can't run it and just see what happens.

I will try all that you have suggsted though and report back.

thank you

Hi,

Missing registry keys could certianly be the cause here and quite likley.  Maybe when they ran CCleaner and it asked to clean the registry they chose the option to backup to a reg file before deleting?  If you had the reg files you could see if any Sophos keys were removed.

For example, on my machine, if I rename:

HKEY_CLASSES_ROOT\TypeLib\{7B1F77BE-23A0-43AF-BF0F-E2B741B0B0B1}

so it's not found I get this message in the Agent log,  So I think Process Monitor a working machine vs this machine filtered by registry access and maybe also on not found items will do it.

If all else fails you could try running:

regsvr32 ComponentManager.dll

to try re-register the dll, this will re-write the registration keys for this component but if this works so should a re-install

Regards,

Jak

Hey jak,

Well I did some hunting on the machine in question and I did find a registry backup made from CCleaner.

It has one entry pertaining to Sophos:

[HKEY_CLASSES_ROOT\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}\LocalServer32]@"="C:\\PROGRA~1\\Sophos\\SOPHOS~1\\SAVSER~1.EXE"

Not sure if this key in particular would cause the issue I am seeing.

The other thing is that this was created way back in 2010, but this problem reppeared only recently.

Now, that is not to say that the user didn't re-run CCleaner and not create a backup the this time around.

I still need to swift through the logs to see if I can find any additional information that might explain what is happening.

In the mean time to be safe I will uninstall CCleaner to rule out this application being the problem 100%

Cheers

============================================================

So I started digging through the Event Logs in Windows.

The first problem I noticed was with the "Sophos Device Control Service" complaning that it couldn't start.

When I tried starting the service I got a "....Access denied...." error message which I thought was sort of weird.

This lead me to look at the System logs in Event Viewer where I came across the following error:

Log Name: System

Source: Distributed COM

Event ID: 10016

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} and APPID 

Unavailable to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

When I looked up the CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} in the registry I found the entry

Infrastructure.ComponentManager. 

I looked through the registry a little more and was able to link this CLSID to the SAVservice. So as far as I can tell this CLSID is tied to Sophos.

I am not sure if this is what is causing my issue. But I think probably correcting this issue would be a good place to start.

I have a sneaking suspision that I should probably just completely blow away the installation on this computer and reinstall everything from scrach.

But I will still run through the logs and see if there is anything else.

Cheers

Hey,

Last night I tried tackling the machine in question.

I was following a tutorial on how to correct the COM server permission error I was getting.

Unfortunately when I was trying to locate the CLSID in Component Services I was able to locate it.

So after all that I finally just decided to completely blow away the Sophos installation.

I removed all the components, rebooted and reinstalled Sophos.

As of this morning the machine is still showing all status's.

I will monitor it and see if it disappears again.

Thanks to jak and QC for your help, it is much appreciated.

Sorry I couldn't have come up with a more reliable solution :smileysad:

Cheers