This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The server in which SEC is installed does not point to itself as the SUM instead it points to an old client workstation?

Background. I came into a helpdesk/entry level admin role under a year ago. about 2 months in I became responsible for watching the protection statuses of all the workstations I had admin over. In this case all workstations but no servers. The only thing I was ever taught or ever did was just check in periodically to the SEC and see what the reports were. Make sure the machines were showing up to date or if it threw the random alert clear it or respond if it found something malicious. 

Things to note. I was NOT trained in how any of the set up of SEC works nor am I part of the server's administration group were I can make changes to the local server itself.. I was assigned as Sophos Full Administrator however and provide simple maintainence duty for checking alerts and responding to reported malicious files. 

Fast forward to where recently out of the blue every single workstation was throwing a reporting alert saying the xploit prevention software was out of date. It wasn't. After speaking with support I found out these were most likely false errors. That's when I learned about the role an Update manager plays and the fact the sole workstation showing as the SUM in the Update Managers screen was a now offline client workstation. We checked the client side app on a couple of workstations and discovered that the Primary location was configured to a share folder on the same dedicated Sophos server the SEC and so was the SOPHOS cloud. With that being the case you'd think that on the Update Managers screen you'd see that same server. But you don't. Instead you only see that old offline workstation. I could not explain this nor could support really. 

Despite this revelation support still tried to configure the offline workstation showing up in the update manager list. We got a communication error of course.
After it was all said and done support pretty much said that future false alerts could happen because no client machine has a primary SUM to talk to and because of the fact that the SEC and SUM were configured to two different nodes.

My best guess is that Sophos was possibly never installed properly to begin with and that the workstation currently showing up in the SUM list was chosen at random by someone who rushed through the install. Or simply was totally OK with using the cloud sync for everything. 


My question is because I'm not all to familiar with the installation of the Enterprise console or SUM how can I delete the current and only have SEC point the server I want it to as the SUM, which in this case would be the same server the SEC is installed to. I would like to do this so I don't get a bunch of false positives like I recently had with the exploit prevention alert and because it would be nice to have something on prem in case the machines are having trouble to reaching out the online manager. *edit additional* I also consistently get wrong reports about how drivers have been bypassed or a service has stopped working but is never the case when I check the running services. A bunch of things like that are things I'm plagued with and it doesn't seem efficient to be in charge of workstation security when the tool for the job doesn't even work correctly. 

I hope I explained all that well enough and kudos to anyone who can assist. 



This thread was automatically locked due to age.
Parents
  • Hello jabaited2020,

    for the most part I concur with MEric's suggestions.
    Following them the database would be kept, which is normally desired. I'm not sure whether the database is sufficiently consistent for the reinstall to resolve the problem. Apparently - as far as I understand it - endpoints are updating from the correct location (CID), SUM is installed on the server and is updating the CID(s). You should check though whether the endpoints are indeed updating from the CID (and not SOphos) and that the SAV version is current (assuming the Recommended subscription version 10.8.4.227, engine 3.77.1, detection data 5.71, 250+ IDEs). In order for SUM to be able to download from Sophos and deploy the CIDs is must be configured. For the configuration to work this SUM must appear in the Update managers view. The console refuses any delete attempt for this SUM with the message: The local update manager must not be deleted. What you see is an "impossible" configuration. I don't think this is merely the result of an incomplete migration - guess it requires "some manual intervention" to come about.

    Christian

Reply
  • Hello jabaited2020,

    for the most part I concur with MEric's suggestions.
    Following them the database would be kept, which is normally desired. I'm not sure whether the database is sufficiently consistent for the reinstall to resolve the problem. Apparently - as far as I understand it - endpoints are updating from the correct location (CID), SUM is installed on the server and is updating the CID(s). You should check though whether the endpoints are indeed updating from the CID (and not SOphos) and that the SAV version is current (assuming the Recommended subscription version 10.8.4.227, engine 3.77.1, detection data 5.71, 250+ IDEs). In order for SUM to be able to download from Sophos and deploy the CIDs is must be configured. For the configuration to work this SUM must appear in the Update managers view. The console refuses any delete attempt for this SUM with the message: The local update manager must not be deleted. What you see is an "impossible" configuration. I don't think this is merely the result of an incomplete migration - guess it requires "some manual intervention" to come about.

    Christian

Children
No Data