Different IDE Numbers

Hi Everyone,

I tried searching for a reason where I couldn't really find an answer, but is there a reason why there are different IDE numbers for certain OS's? For the few XP machines we have, the IDE is 261 and Server 2003 is 120. 

Anything from Windows 7+ and Server 2008+ seems to get the current IDE number.

I just would like to know a reason just incase we get audited and they ask for a reason. Thank you!

 

Also, in our VDI environment, SEC is not updating most of the virtual desktops status (IDE and Last Scan Completed), but if I look at the desktop locally, the IDE and 'Last Scan Completed' date are current. Is there a way to fix this in bulk? 

I tried using this procedure (https://community.sophos.com/kb/en-us/12561) and it works if I do every desktop individually, but if I apply it to the master image then recompose the VDI's, it will not work for some reason. Am I missing a step?

 

- Jeremy

  • Hi  

    Sophos Anti-Virus IDE files are cross-platform. All operating system versions of Sophos Anti-Virus can use the same IDE files but the numbers may differ as per the OS infrastructure. You can always check if you are up-to-date by checking Latest IDE files, please find the link here. Support for XP and 2003 has been stopped, but we do offer extended support for both if you have purchased the same. 

  • Hello Jeremy,

    these are several questions.
    First of all, XP and 2003: You do have Extended Support, don't you? Did you switch the machines to the correct subscription? Also note that the number of IDEs is only meaningful in the conjunction with the Detection Data (currently 5.70 for Recommended) version. The number of IDEs goes up and then down again when a new Detection Data version is released. If you view the Computer Details tab for these machines - is the Last message time current? 

    in our VDI environment, SEC is not updating
    SEC relies on the endpoints sending their status. Do they appear as Connected or Disconnected? Please also check the Last message time mentioned above.

    if I apply it to the master image
    what happens when you deploy a virtual desktop from this image? Does it appear in SEC or not at all? If it appears - is it with the initial status from the image, and the status does not change when it subsequently updates?

    Christian

  • In reply to QC:

    Hi QC, thank you for the reply,

    Before you read my answers, I am not sure if it changes some of the solutions, but our SOPHOS definitions are downloaded from a single computer, that has SEC, with internet access then transferred via thumb drive to a classified stand alone network that does not have internet access. It is then uploaded to our A/V server that has SEC 5.4.0 (Currently Server 2008 R2, but transitioning to Server 2016 Q1 next year).

    • First of all, XP and 2003: You do have Extended Support, don't you?
      • Our company purchased new licenses a few months ago, but I'm unsure if the Extended Support was included. I will check and see.

     

    • Did you switch the machines to the correct subscription?
      • Are you talking about the Software Subscriptions? If so, we only have the Recommended Windows subscription from what I see. ("Recommended - for computers that need the most up to date protection, see KBA 119216")

     

    • Also note that the number of IDEs is only meaningful in the conjunction with the Detection Data (currently 5.70 for Recommended) version. The number of IDEs goes up and then down again when a new Detection Data version is released. If you view the Computer Details tab for these machines - is the Last message time current? 
      • All the machines that are 'Connected' have the current date/time with the current 5.70 Detection Data.
      • So if the Detection Data stays 5.70 for next months definitions, the IDE number would still be 107 as it is today? If so, how do I know if let auditors know that the A/V defs are the most current?

     

    • SEC relies on the endpoints sending their status. Do they appear as Connected or Disconnected? Please also check the Last message time mentioned above.
      • The endpoints that show the correct Detection Data and IDE number locally say that it is Disconnected on SEC with the Last Message Time of 09/26/2019 (and they're all virtual desktops).

     

    • what happens when you deploy a virtual desktop from this image? Does it appear in SEC or not at all? If it appears - is it with the initial status from the image, and the status does not change when it subsequently updates?
      • It does not appear in SEC at all. I've tried deleting the previous Endpoint from SEC then deploy the image and re-adding the Endpoint by IP address. The machine shows up without it being 'Protected', but I'm able to login locally to the machine and 'Update Now' and it is able to connect to the server and download the current definitions.
      • I try to protect the machine remotely from SEC and it gives me a "Account invalid or has insufficient rights" error and I used every admin account I have and Sophos account. I've used the logins with and without the domain\ (but that's a whole different problem).

     

     

  • In reply to Jeremy Reyes:

    Hello Jeremy,

    I'll try to give at least some answers.

    Detection Data and IDEs
    Detection Data are consolidated libraries of definitions, updated monthly. They are supplemented by IDEs, usually slightly more than 100. Every few hours additional IDEs are created by Labs, thus their number goes up. Near the end of its life 5.69 was supplemented by - as far as I can see - 216 IDEs. 5.70 started with 103 or so. Note that the protection provided by 5.69+216 and 5.70+103 is the same. Guess it's still the case that not all customers receive the updated Data at the same time but the should have the same latest IDE (please see the How to check for more information).
    Ideally the offline SEC (BTW - 5.4.0 has been retired) has to be updated several times a day.

    It does not appear in SEC at all
    has a new image been created around 09/26/2019? Looks like "something" is not quite right. There's a base Troubleshooting Disconnected Endpoints article. Might add that if the Message Router service is running the Router logs (C:\ProgramData\Sophos\Remote Management System\3\Router\Logs\) normally provide some insight.

    Christian

  • In reply to QC:

    QC,

    Detection Data and IDEs

    Ok, I understand now.

     

    It does not appear in SEC at all
    has a new image been created around 09/26/2019

    The last image created and deployed was 11/07/19.

    I'm not sure if it's connected together, but I found that when I tried to reinstall the Sophos client on a machine via 'Protect Computers...', it was using an account that no longer is available in AD for the task, so the installation kept failing. Also, the task in Task Scheduler was not getting deleted afterwards.

    So I created a GPO to delete any existing tasks and when I try to install it again, it works. The machine shows that it is connected and IDE and Last Message Time is updated to the current time. The only thing is that I get error "Failed to install Sophos Endpoint Defense: Error code 80004005 [0x00000067]". I tried to look at the logs, but I couldn't find anything specific on why it failed.

  • In reply to Jeremy Reyes:

    Hello Jeremy,

    sorry for the delayed reply, tried to get hold of the SED Setup log of an endpoint that reports the same error.

    It shows
    INFO : Updating directory security: C:\ProgramData\Sophos\Endpoint Defense\Config
    ERROR : Error upgrading/downgrading Sophos Endpoint Defense: SetEntriesInAclW failed with error: 87
    and if (as I assume) it's decimal the code means ERROR_INVALID_PARAMETER. Not really an answer to why?

    I assume that if the install fails there's some line tagged ERROR : (not necessarily with same or similar content) near the end of the log?

    Christian

  • In reply to QC:

    Hello Jeremy,

    turned out that the error occurred for most other subdirectories as well. Dunno what the underlying cause is. Let it recreate the folders and the install succeeded, some files are missing but as most have "reappeared" I assume it's working as it should.

    Christian