Sophos Antivirus (managed) not populating AutoUpdate information on Macs

I'm seeing our Mac's have problem's getting the AutoUpdate info when Sophos Antivirus for Mac is installed.

We are installing via a scripted installation and that has been the same for a long time now - since the change from PKG to an App installer,

Basically the method used is to open a connection to the Enterprise Console and download the whole ESCOSX directory.  Sophos Antivirus is then installed via the command line call:

"Sophos Installer.app"/Contents/MacOS/tools/InstallationDeployer --install

I've also tried manually copying the directory off the Enterprise Console server and manually installing - both by command line and clicking the App.  The software installs, but the AutoUpdate info never gets populated.

I've also tried deleting the machine from the console - no change

The machines are bound to Active Directory.

This was all working late last year but is not working now.  I don't manage the Enterprise Console.  I manage the Mac's. 

Is there something I can look for or ask the Console Administrator to check?  I don't even know how that info gets populated so it's hard to know what to do

Regards,

David

  • Hi  

    Unfortunately, it is not possible to perform a scripted installation of Sophos Enterprise Console endpoint on a Mac machine. Please follow the steps lists in this guide (section 16.2.3) : https://docs.sophos.com/esg/enterprise-console/5-5-2/help/en-us/PDF/sec_qsg.pdf

    If Autoupdate fails to populate, can you please ensure that the firewall rules are set appropriately? This article should help: https://community.sophos.com/kb/en-us/110174

  • Hello David,

    the machines appear in the console with a green icon, computer and SAV information but empty update settings? They are not in the Unassigned group?

    The Macs should contact the server and request the applicable policies, and once they have received and applied them report back the status/settings. Apparently they have done so in the past. If Sophos is otherwise running fine on the Macs I don't think it's them.

    From the Console side one can check whether the communication component (RMS) has connected to the server (icon with green overlay), have recently sent a status, and ar not appearing twice. Nothing Mac-specific, so the Console Administrator should know how to check. Next steps depend on the findings.

    While policy transfer (and generally communication between endpoints and management server) should work and if it doesn't the problem should be investigated it might be a good idea to pre-configure the AutoUpdate settings.

    Christian

  • In reply to Yashraj:

    Hi Yashraj,

    Thanks for your reply.  I think you might be mistaken.  I outlined what the scripted installation does - copies the installation folder from the Enterprise Console Server and executes the installer via the command I gave.  That method has been working for years until recently.  In fact, as far as I can see it still works - it's just that the AutoUpdate info is not populating after the installation as it used to

    I also said I tested the installation manually by copying the installation folder from the server and manually executing the App by clicking it.  That is what the documentation you pointed me at said is the way to install using the App manually.  The script is just a way to automate that.

    Firewall rules - yes I always suspect the firewall but in this case they are not set at all because the firewall is off.

    They were good points, but unfortunately I don't think this is where the problem lies.

     

    Regards,

    David

  • In reply to QC:

    Hi Christian,

    Thanks -

    1) The machines are grey in the console. I even tried removing one and waiting for it to pick it up again when it re-scanned AD but it never changed to an active machine talking to the console

    2) That info on the communication helps. I'll talk to the administrator.

    3) I ran "Sophos Diagnostic Utility" and it captured a whole bunch of info and logs. When I searched through them for "err" and "fail" the following were repeated a lot

    /rms/SophosMessageRouter/Router-20200325-225847.log:26.03.2020 07:02:32 699B E Failed to get parent router IOR
    ./rms/SophosMessageRouter/Router-20200325-225847.log:26.03.2020 07:02:32 699B W Failed to get certificate, retrying in 600 seconds

    ./rms/SophosMessageRouter/Router-20200326-035454.log:30.03.2020 13:07:33 0AF6 W Delivery failed(Timeout) for message type Certification.CertRequest, originator Router$dep54592:527620.Agent

    ./rms/SophosMessageRouter/Router-20200402-064335.log:02.04.2020 14:47:38 6BBF E Failed to get parent router IOR
    ./rms/SophosMessageRouter/Router-20200402-064335.log:02.04.2020 14:47:38 6BBF W Failed to get certificate, retrying in 600 seconds

    ./rms/SophosManagementAgent/Agent-20200325-082600.log:25.03.2020 16:38:53 0BB2 W MSClient::Connect: failed to get router's IOR from supplied address and port.
    ./rms/SophosManagementAgent/Agent-20200325-082600.log:25.03.2020 16:38:53 0BB2 W NoRouterIORException: Caught MSClient::Connect: failed to get router's IOR from supplied address and port.

    ./rms/SophosManagementAgent/Agent-20200328-122150.log:30.03.2020 01:45:52 0BB2 W Failed to obtain public key certificate.

    I'm sure there is a clue there and will be search more on what they mean.  I will chase that up with our administrator too.

    4) Yes I'd seen that info on making a pre-configured installer.  I wondered if that would get blown away if I did it on the Console Managed server share when the installer gets updated.  It's definitely something to try

    Thanks again - you've given me a few directions to look

    Regards,

     

    David

  • In reply to David London:

    Hello David,

    changing to order to answer the simple question first.

    4) if that would get blown away - all supported customizations (where tools exist and are described in articles) are honoured by the Update Manager (SUM) on the server and are kept.

    1) clearly shows that the machines do not communicate

    3) Failed to get parent router IOR - a little background (and perhaps some information for your admin): The endpoint (its RMS component) tries to connect to port 8192 on the server given by the ParentRouterAddress in mrinit.conf/mrinit.custom. It expects an IOR to be returned that contains the address and port (usually 8194) of the actual communication endpoint (usually the same server, whether it's an address, name, or both depends). If it can connect to this address/port it tries to establish communication.
    Apparently the endpoints (at least the Macs) don't get back an IOR at all. If they'd do, you'd see something that starts with IOR: that is followed by quite a number of hex digits and furthermore, in case the IOR is invalid you'd get a message complaining about a malformed or empty IOR. Common reasons for not getting back an IOR:
     • a firewall
     • addresses in mrinit are incorrect
     • mrinit contains just names but the endpoints can't resolve them

    Christian