We'd love to hear about it! Click here to go to the product suggestion community
I tried searching for a reason where I couldn't really find an answer, but is there a reason why there are different IDE numbers for certain OS's? For the few XP machines we have, the IDE is 261 and Server 2003 is 120.
Anything from Windows 7+ and Server 2008+ seems to get the current IDE number.
I just would like to know a reason just incase we get audited and they ask for a reason. Thank you!
Also, in our VDI environment, SEC is not updating most of the virtual desktops status (IDE and Last Scan Completed), but if I look at the desktop locally, the IDE and 'Last Scan Completed' date are current. Is there a way to fix this in bulk?
I tried using this procedure (https://community.sophos.com/kb/en-us/12561) and it works if I do every desktop individually, but if I apply it to the master image then recompose the VDI's, it will not work for some reason. Am I missing a step?
Hi Jeremy Reyes
Sophos Anti-Virus IDE files are cross-platform. All operating system versions of Sophos Anti-Virus can use the same IDE files but the numbers may differ as per the OS infrastructure. You can always check if you are up-to-date by checking Latest IDE files, please find the link here. Support for XP and 2003 has been stopped, but we do offer extended support for both if you have purchased the same.
these are several questions.First of all, XP and 2003: You do have Extended Support, don't you? Did you switch the machines to the correct subscription? Also note that the number of IDEs is only meaningful in the conjunction with the Detection Data (currently 5.70 for Recommended) version. The number of IDEs goes up and then down again when a new Detection Data version is released. If you view the Computer Details tab for these machines - is the Last message time current?
in our VDI environment, SEC is not updatingSEC relies on the endpoints sending their status. Do they appear as Connected or Disconnected? Please also check the Last message time mentioned above.
if I apply it to the master imagewhat happens when you deploy a virtual desktop from this image? Does it appear in SEC or not at all? If it appears - is it with the initial status from the image, and the status does not change when it subsequently updates?
In reply to QC:
Hi QC, thank you for the reply,
Before you read my answers, I am not sure if it changes some of the solutions, but our SOPHOS definitions are downloaded from a single computer, that has SEC, with internet access then transferred via thumb drive to a classified stand alone network that does not have internet access. It is then uploaded to our A/V server that has SEC 5.4.0 (Currently Server 2008 R2, but transitioning to Server 2016 Q1 next year).
In reply to Jeremy Reyes:
I'll try to give at least some answers.
Detection Data and IDEsDetection Data are consolidated libraries of definitions, updated monthly. They are supplemented by IDEs, usually slightly more than 100. Every few hours additional IDEs are created by Labs, thus their number goes up. Near the end of its life 5.69 was supplemented by - as far as I can see - 216 IDEs. 5.70 started with 103 or so. Note that the protection provided by 5.69+216 and 5.70+103 is the same. Guess it's still the case that not all customers receive the updated Data at the same time but the should have the same latest IDE (please see the How to check for more information).Ideally the offline SEC (BTW - 5.4.0 has been retired) has to be updated several times a day.
It does not appear in SEC at allhas a new image been created around 09/26/2019? Looks like "something" is not quite right. There's a base Troubleshooting Disconnected Endpoints article. Might add that if the Message Router service is running the Router logs (C:\ProgramData\Sophos\Remote Management System\3\Router\Logs\) normally provide some insight.
Detection Data and IDEs
Ok, I understand now.
It does not appear in SEC at allhas a new image been created around 09/26/2019
The last image created and deployed was 11/07/19.
I'm not sure if it's connected together, but I found that when I tried to reinstall the Sophos client on a machine via 'Protect Computers...', it was using an account that no longer is available in AD for the task, so the installation kept failing. Also, the task in Task Scheduler was not getting deleted afterwards.
So I created a GPO to delete any existing tasks and when I try to install it again, it works. The machine shows that it is connected and IDE and Last Message Time is updated to the current time. The only thing is that I get error "Failed to install Sophos Endpoint Defense: Error code 80004005 [0x00000067]". I tried to look at the logs, but I couldn't find anything specific on why it failed.
sorry for the delayed reply, tried to get hold of the SED Setup log of an endpoint that reports the same error.
It showsINFO : Updating directory security: C:\ProgramData\Sophos\Endpoint Defense\ConfigERROR : Error upgrading/downgrading Sophos Endpoint Defense: SetEntriesInAclW failed with error: 87and if (as I assume) it's decimal the code means ERROR_INVALID_PARAMETER. Not really an answer to why?
INFO : Updating directory security: C:\ProgramData\Sophos\Endpoint Defense\Config
ERROR : Error upgrading/downgrading Sophos Endpoint Defense: SetEntriesInAclW failed with error: 87
I assume that if the install fails there's some line tagged ERROR : (not necessarily with same or similar content) near the end of the log?
turned out that the error occurred for most other subdirectories as well. Dunno what the underlying cause is. Let it recreate the folders and the install succeeded, some files are missing but as most have "reappeared" I assume it's working as it should.