PatchFeedProcessor(None - 0)

Hello Everyone,

We are seeing a lot of error events which is generating a huge noise.

LogName - Application

Source - PatchFeedProcessor

EventID - 0

Description - Patches have not been successfully updated in the last three days

Gone through various articles and one among them was https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/98886/error-0-patches-have-not-been-successfully-updated-in-the-last-three-days

Where in I saw to review the comments or recommendations from  stating to view the C:\ProgramData\Sophos\Patch\Logs for more information.

Reviewed the logs and I see nothing suspicious. Below is the short log for reference

========

2018-12-05 09:48:01 | PID 23396 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 11:48:00 AM:

2018-12-05 09:48:01 | PID 23396 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 10:48:02 | PID 23464 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 10:48:02 | PID 23464 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 11:48:00 AM:

2018-12-05 10:48:02 | PID 23464 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 11:48:01 | PID 23116 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 11:50:29 | PID 23116 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 12:48:02 | PID 10160 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 12:48:02 | PID 10160 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 5:48:00 PM:

2018-12-05 12:48:02 | PID 10160 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 13:48:03 | PID 23812 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 13:48:03 | PID 23812 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 5:48:00 PM:

2018-12-05 13:48:03 | PID 23812 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 14:48:03 | PID 14424 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 14:48:04 | PID 14424 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 5:48:00 PM:

2018-12-05 14:48:04 | PID 14424 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 15:48:02 | PID 12152 | TID 1 | ID: 3001 | Severity: info | Begin Sophos Patch Data Loader processing.-- Evidence --

2018-12-05 15:48:03 | PID 12152 | TID 1 | ID: 3016 | Severity: info | Sophos Patch Data Loader will exit now because it is scheduled to process the feed later.-- Evidence --
-- Evidence At Publish --
The feed will be processed after 12/5/2018 5:48:00 PM:

2018-12-05 15:48:03 | PID 12152 | TID 1 | ID: 3002 | Severity: info | Finished Sophos Patch Data Loader processing.-- Evidence --

 

========

Within short time frame Sophos Patch Data loader Processing, exits because it is scheduled to process the feed later and the time frame stating it will process after some time.

I don't see a big difference in the time gap. As per the logs, nothing looks suspicious or a user action is required is what I assume.

Please review and let me know whether we can ignore the events ((PatchFeedProcessor(None - 0))) generated as informational.

As per  no user action is required in the thread mentioned above.

Looking forward to seeing a response. Thank You in advance

Regards,

Sandeep Sangu

  • Missed to add below info

    Sophos Anti-Virus (Endpoint Security and Control) - 10.8.2.334
    Last Updated 12/5/2018
    OS - Windows Server 2008 Standard SP2

  • Hello Sandeep Sangu,

    in the thread the above mentioned thread referred to the underlying cause was indeed an issue on the backend, i.e. with the data feed itself and not with processing it on the SEC server.

    The PatchDataLoader.log is basically the scheduler log and it'd only list fatal errors, e.g. the PatchFeedProcessor not starting or crashing, and indirectly indicate errors with processing the feed when you see that the PatchFeedProcessor is scheduled more often.
    The actual error information is in the PatchFeedProcessor.log in C:\ProgramData\Sophos\Patch\Logs\. Please check this log.

    Christian

  • In reply to QC:

    Hello Christian,

    Thank You for the reply :)

    As per the suggestion here are the logs from the (PatchFeedProcessor.log)

     

    2018-12-05 11:48:05 | PID 17308 | TID 1 | Information | -----PROGRAM START-----
    2018-12-05 11:50:27 | PID 17308 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-05 11:50:27 | PID 17308 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-05 11:50:27 | PID 17308 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-05 11:50:27 | PID 17308 | TID 1 | Information | -----PROGRAM END-----
    2018-12-05 17:48:08 | PID 1576 | TID 1 | Information | -----PROGRAM START-----
    2018-12-05 17:51:55 | PID 1576 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-05 17:51:55 | PID 1576 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-05 17:51:55 | PID 1576 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-05 17:51:55 | PID 1576 | TID 1 | Information | -----PROGRAM END-----
    2018-12-05 23:48:06 | PID 10480 | TID 1 | Information | -----PROGRAM START-----
    2018-12-05 23:50:20 | PID 10480 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-05 23:50:20 | PID 10480 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-05 23:50:20 | PID 10480 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-05 23:50:20 | PID 10480 | TID 1 | Information | -----PROGRAM END-----
    2018-12-06 05:48:04 | PID 21436 | TID 1 | Information | -----PROGRAM START-----
    2018-12-06 05:50:20 | PID 21436 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-06 05:50:20 | PID 21436 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-06 05:50:20 | PID 21436 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-06 05:50:20 | PID 21436 | TID 1 | Information | -----PROGRAM END-----
    2018-12-06 11:48:08 | PID 20112 | TID 1 | Information | -----PROGRAM START-----
    2018-12-06 11:50:44 | PID 20112 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-06 11:50:44 | PID 20112 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-06 11:50:44 | PID 20112 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-06 11:50:44 | PID 20112 | TID 1 | Information | -----PROGRAM END-----
    2018-12-06 17:48:06 | PID 12664 | TID 1 | Information | -----PROGRAM START-----
    2018-12-06 17:50:00 | PID 12664 | TID 1 | Warning | Failed to verify signature of Mcescan.cab
    2018-12-06 17:50:00 | PID 12664 | TID 1 | Information | There were errors while processing feed (handled error):'Failed to verify signature of Mcescan.cab'
    2018-12-06 17:50:00 | PID 12664 | TID 1 | Error | Patches have not been successfully updated in the last three days
    2018-12-06 17:50:00 | PID 12664 | TID 1 | Information | -----PROGRAM END-----

    Please check and advise.

    Also, I have followed the instructions mentioned by you in the thread (https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/90147/patches-have-not-been-successfully-updated-in-the-last-three-days/326940?pi2147=165)

    Tried verifying the digital signatures but no informative information I see in that. Under properties it gives a message stating the digital signature is ok and fyi (Sunday, November 18, 2018 6:01:42 AM) when viewed the certificate looks like it expired (Valid from: 7/12/2018 to 7/26/2018) and down at the bottom it gives an option to install the certificate (not sure if that fixes the issue) And FYI when I opened mescan TimeStamp XML file this is what I observed

    =========

    <?xml version="1.0" encoding="utf-8" ?>
    - <lastchecked>
    <timestamp day="6" month="12" year="2018" hour="17" min="48" />
    </lastchecked>

    =========

    Looking forward to your hear from you. Thank You

  • In reply to Sandeep Sangu:

    Hello Sandeep Sangu,

    valid [] to 7/26/2018
    guess it reads 2019.

    It looks ok and as mentioned in the other thread I can't say what could be wrong. There's the signtool.exe in the Windows SDK that can be used to verify the certificate (signtool.exe /verify /v /pa PathTo\mcescan.cab), dunno what to do next if it says success. As said, I'd contact Support.

    Christian 

  • In reply to QC:

    Christian,

    Not sure whether I can run that tool on the server or not. The thread I started is of personal interest believing I would get answer/confirmation whether to ignore PatchFeedProcessor events on the device as they are generating a huge noise. I assumed if am getting a confirmation here in the community thought of sending a change request to exclude the event from monitoring itself which will reduce 100-200 alerts per month.

    Tried getting a solution via chat support and here's what I got from the support agent "Okay. I am unsure is what I will say on if they are ignorable. I believe so, but I can't be certain." and was advised to call their global support number and provide license number.

    I cannot provide license number as it needs to checked with End client which is a bit difficult.

    Followed your instructions gone through a lot of threads and tried narrowing down the query and now stuck at this point.

    Not sure how to proceed further from here

  • In reply to Sandeep Sangu:

    Hello Sandeep Sangu,

    they are ignorable(?)
    just my opinion: Although there's first a (handled error) in the message it is immediately followed by Error | Patches have not been successfully updated in the last three days. That PFP sets a reschedule with less than 24 hours also suggests that it thinks something isn't right. If you open the Patch Assessment Events the field Patch updates (right below the Search button) doesn't say OK, does it?
    "My" mcsescan.cab seems to be the same, I have no errors. So it doesn't look like a feed/backend issue (that other than reporting it you only can ignore until it is fixed).
    If you don't use Patch or don't care about the assessments (which would boil down to not use) you could disable the Sophos Patch Feed task (and perhaps the Patch-related services.

    can't provide license number as it needs to checked with End client
    I fear I don't get what you mean

    As for signtool - the SDK can be used on desktops and servers

    Christian

  • In reply to QC:

    Will review the patch assessment events tomorrow once am back to the office and will update you here.

    If you don't use Patch or don't care about the assessments (which would boil down to not use) you could disable the Sophos Patch Feed task (and perhaps the Patch-related services.

    Will check with our partner on the same and see what will be their response.

    can't provide license number as it needs to check with the End client

    As I mentioned am doing this of a personal interest to reduce the alert ratio that we are seeing currently. So, did not want to bother the end customer for any reason.