Sophos AutoUpdate failing on PCs where they are limited to certain websites

We have a bunch of PCs in our factory that have limited website access. There is a list of approved websites they can reach.

On these units Sophos will not update. I am trying to find out the location of the site it's trying to download from so I can add it to the list of sites these PCs can access.

 

Thanks,

Steve

  • Hi Steve,

     

    Is that Endpoint managed via Sophos Central [cloud]?

    In that case, please follow the Link here and reinstall Sophos Autoupdate manually and see if that fixes the issue.

    Sophos AutoUpdate is missing during the initial Sophos Cloud installation or during an update.

     

    If that is an Endpoint managed by an on-premise version, then please check the MSI Install logs located at C:\Windows\Temp or %temp% folder on that device to find the error message.

    An uninstall reinstall will also help.

  • In reply to SAJ:

    Thank you for the reply.

     

    I do not have that issue. All the services are there and running, however I did go and try the instructions sent, however even with Admin rights on that PC it won't complete the install saying:

    Could not delete key \SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters\ALC. Then it says it can't write the value either.

     

    The issue is we have web access rules on these PCs they aren't reaching the server to do the update.

    If I knew what the server name/IP is that autoupdate is reaching I can add it to the list of approved websites and it should let us update Sophos.

     

  • In reply to Steve Venice:

    Hi Steve,

     

    Here are the list of Domains you need to white list to access Sophos cloud servers for updates.

     Sophos Central: Domains and ports required for communication to and from Sophos Central Admin and the Sophos Central managed endpoint

     

     

  • In reply to SAJ:

    Saj,

     

    Thank you for that document. That is exactly what I needed. However I noticed in the doc it showed where some of the logs were so I took a look to see if it showed exactly which site it was trying to reach.

    It did and I noticed that it started back in August. 

    2019-11-20T14:12:13.943Z [ 6468] [v6.0.457.0] INFO No update caches configured
    2019-11-20T14:12:13.943Z [ 6468] [v6.0.457.0] INFO Updating over HTTP
    2019-11-20T14:12:14.754Z [ 6468] [v6.0.457.0] INFO No manually configured proxy.
    2019-11-20T14:12:14.754Z [ 6468] [v6.0.457.0] INFO WinHttp default proxy not set
    2019-11-20T14:12:14.770Z [ 5268] [v6.0.457.0] WARN Failed to get the automatic proxy configuration. The error code was 12180.
    2019-11-20T14:12:14.770Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.com/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:19.763Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.com with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:19.763Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.net/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:24.771Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.net with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:24.771Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.com/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:29.764Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.com with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:29.764Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.net/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:34.772Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.net with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:34.772Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.com/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:39.764Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.com with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:39.764Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.net/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:44.773Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.net with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:44.773Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.com/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:49.765Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.com with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:49.765Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.net/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:54.774Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.net with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:54.774Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.com/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:12:59.766Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.com with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:12:59.766Z [ 6468] [v6.0.457.0] INFO Trying update location: dci.sophosupd.net/.../c81ebd40582d49026d19aaf659f56eea.dat with proxy: <direct; no proxy>
    2019-11-20T14:13:04.774Z [ 6468] [v6.0.457.0] WARN Failed update location: http://dci.sophosupd.net with proxy: <direct; no proxy>: WinHttpReceiveResponse failed with error code 12002
    2019-11-20T14:13:05.617Z [ 6468] [v6.0.457.0] ERROR No reachable update locations

     

    I've reached out to my Network vendor to open up our web services to they can access dci.sophosupd.net. I'll see if this fixes the issue.

  • In reply to Steve Venice:

    According to my vendor he is saying that the server for shphosupd is already in our web list so I'm not sure where the problem is coming from. I have confirmed I can ping the server from the PCs but Sophos just won't update anymore.

     

    Any more ideas are appreciated.

     

    Steve

  • In reply to Steve Venice:

    Hello Steve,

    I can ping
    I can't refrain from pointing out time and again that ping (contrary to common expectation) doesn't tell much if anything at all. That it succeeds only confirms that there is a network path to the update servers.
    We're concerned with an application that encounters a 12002 (timeout). The problem is likely in the transport (TCP) or application (HTTPS) layer. Please try to open the update location with a browser. The result should indicate whether the location can't be reached (i.e. it doesn't get as far as sending a request) or no response is received.

    Christian

  • In reply to Steve Venice:

    The most useful next step would be to get a wireshark capture during the update attempt and see what is happening.

    Specifically, see if you are getting replies from the servers. Also, see if you are getting RST packets back.

    If you are getting replies - check with your ISP if they are doing a HTTPs proxy or web caching server. Any other systems in the way that alter the traffic, such as HTTPs inspection or proxies, can cause problems with the update. 

    Finally, you could also try using an update cache in your local network which your endpoints update from. Then you can just open up the network for just the update cache.

  • In reply to RichardP:

    Just want to give a final update on this issue.


    The resolution was as originally thought, our Web filter was blocking access. There is a built in filter for Sophos in VeloCloud devices that we use, but it seems like it stopped working in August.  To get around this for now (hoping an update to these boxes may resolve it), we manually added the address in to the allowed web sites. What made it more complex was the fact that the web filter can only take IP addresses and dci.sophosupd.net has multiple IP addresses when you ping it from different machines, as does dci.sophosupd.com.

     

    Putting the multiple addresses we found for the sites into our web filter, started letting our devices update again.

  • In reply to Steve Venice:

    Hi  

    Glad to know that you were able to fix this. Thank you for updating the resolution as well. Feel free to reach out to us for any further concerns.