Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 11133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event ID 5154 and Sophos Patch

Peanut

Hi,

I anm receiving the following warnings both in the servers application log file as well as the Patch Endpoint Communicator log file.

2014-07-22 14:15:19 | PID   1492 | TID     18 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:15:34 | PID   1492 | TID     31 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:15:50 | PID   1492 | TID     31 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:18:38 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:18:53 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:19:08 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

As you can see, the Agent info changes every three warnings.

How can I stop these warnings from occuring?

Server is 2008R2 with a local database. Enterprise console is running at version 5.1.0.1839

Regards

Chris G.

:52044


This thread was automatically locked due to age.
  • 0

    Hello Chris,

    good question. I remember vaguely a similar but definitely not identical issue, quite some time ago during a Beta. Can't say how to stop these warnings (I will later suggest that you contact Support and please follow up here if you've been able to solve the problem :smileywink:) but I'll try to explain what it's about and what the consequences are.

    The Patch Agent (spa.exe) on the endpoint has to submit the patch assessment results to the server. Before doing so it has to register with the server. If an attempt fails it's immediately retried two times and then the registration is rescheduled for 15 minutes later. You'll find the corresponding entries in the endpoint's logs in ...\Sophos Patch Agent\Logs\. The value in Agent Info (also held in a registry key) should correspond to the Identitytag in the database and the Machine_ID.txt in ...\Autoupdate\[data\]. From here it would be just guesswork (like assuming that registration fails because another endpoint has already registered with the same AgentID ...). But anyway, these clients will not be able to send their PA results to SEC.

    Did I already suggest to contact Support? The logic involved (both on the endpoint and in SEC) is not immediately obvious from the database and the logs so I can't tell what is required to remedy this situation.

    Christian

    :52076
  • 0

    Hi Christian,

    Thanks for your reply. I have submiited a support request so we'll see what what they find.

    Cheers

    Chris G.

    :52233
  • 0

    I received the following advice from Sophos support which has fixed the issue.

    Good day, thank you for contacting Sophos Technical Support. I have checked the log file that you sent and found the cause of this problem is that clients have been built from a disk image where the Sophos AutoUpdate machineID.txt is identical. This file should have been deleted when the image was created.

    What is really bizarre is that Sophos is NOT installed until after the image is deployed. The symptons are the same and the fix worked. The only thing in common with the machines that had the issue is that Deep Freeze is on them. None of the machines that don't have Deep Freeze had an issue and NOT all the Deep Frozen machines had this issue, so I can only speculate that that it was doing an update of some description (engine maybe) when the maintenence period ended. Either way, the issue is now resolved.

    What To Do

    To identify computers which have duplicate machineID.txt files, the below SQL query needs to be run:

    C:\OSQL -E -S .\SOPHOS

    1> SELECT Name, IdentityTag FROM SOPHOS51.dbo.computersanddeletedcomputers WHERE IdentityTag="1ab1234a-a123-12a1-ab12-a12345abc1a1"

    2> GO

    where the IdentityTag is the ID as logged against the error in the PatchEndpointCommunicator.log or event log, for example:

    2012-09-28 15:31:54 | PID 3328 | TID 25 | ID: 5154 | Severity: warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.303.0", Agent Info:"1ab1234a-a123-12a1-ab12-a12345abc1a1"

    To resolve this issue follow the below steps on each identified client:

    1. Stop the Sophos AutoUpdate service
    2. Stop the Sophos Patch Agent service
    3. Rename the below file to machine_ID.txt_old: C:\Program Files [ x86]\Sophos\AutoUpdate\data\machine_ID.txt (\ProgramData\ on Vista+)
    4. Delete the below registry value: HKLM\SOFTWARE\Sophos\Sophos Patch Agent\PatchAgentId
    5. Start the Sophos AutoUpdate service
    6. Start the Sophos Patch Agent service
    7. Once the issue is resolved the renamed file in step 3 (machine_ID.txt_old) can be safely deleted
    :52381
Unfiltered HTML