Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 3675 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac with SAV installed not showing up in SEC 5.4.1

SadiAhmed

Hello, 


I am testing a couple issues we have been experiencing with the SophosScanD process using one of our production Macs. During my testing I had to reinstall Sophos, after removing the device from SEC and uninstalling from the endpoint, then reinstalling SAV back onto the machine and applying the same update config as it had previously, the machine is not showing up in the Unassigned folder as expected. I have checked the logs and it is communicating with the primary server and receiving updates but despite uninstalling and reinstalling SAV 2x on the machine, it still does not show back up in SEC. Any ideas what to do? 



This thread was automatically locked due to age.
Parents
  • +1

    Hello SadiAhmed,

    the machine is not showing up in the Unassigned folder as expected
    if you Delete a machine in SEC it's just hidden but remains in its last group. If you reinstall and it reports back the same name (this is simplified, actually it's more complex) it could re-appear where you've deleted it - but you've probably checked that.
    Please view the Network Report /Library/Logs/SophosMessageRouter/NetworkReport/ReportData.xml     - it will tell you whether the Mac from its POV is able to locate and connect to the management server. If there's no error and the correct parent listed then you should find the Mac in SEC.

    Christian

Reply
  • +1

    Hello SadiAhmed,

    the machine is not showing up in the Unassigned folder as expected
    if you Delete a machine in SEC it's just hidden but remains in its last group. If you reinstall and it reports back the same name (this is simplified, actually it's more complex) it could re-appear where you've deleted it - but you've probably checked that.
    Please view the Network Report /Library/Logs/SophosMessageRouter/NetworkReport/ReportData.xml     - it will tell you whether the Mac from its POV is able to locate and connect to the management server. If there's no error and the correct parent listed then you should find the Mac in SEC.

    Christian

Children
  • 0 in reply to QC

    I checked for the laptop this morning and sure enough after searching for it again it was in the initial folder I had deleted it from (although I had checked the entire server and not just unassigned). There is one issue though, the device is now showing offline despite being online. Which leads me to 2 questions. 

    1. Would I need to remove it and wait for it to show up again to get the correct active instance of this and not what might have been an unsynced duplicate from when I had previously installed Sophos on the machine (from what I could tell by the update time stamp it was prior to my reinstall)

    2. Typically how long does it take for a machine to show up in the SEC after removal? Is it after an update check? I have the endpoints set to communicate after 10 minutes, so is that the expected sync time with the console as well? 

  • 0 in reply to SadiAhmed

    Hello SadiAhmed,

    as you mention unsynced duplicate - do you use AD sync in an AD environment?
    Anyway, to determine whether an endpoint has recently contacted SEC (and is thus at least partially "alive") use the Computer Details tab, Last message time.

    set to communicate after 10 minutes
    what you set is the update     interval (or more exact, the check for updates interval). You can modify the communications settings. If the endpoint has something to report (threat detection, successful update, any other alert or error) it will send this information immediately. Thus there should be almost no delay until you see a new install (at least for Windows endpoints you can  even see the different components appear).
    If you "delete" an active and connected computer it will reappear with the next message (the next actual update, i.e. one or more new IDEs, latest).

    Christian

Unfiltered HTML