Auto update Failed

Hi all, 

I have some sophos endpoint and protection problem, the client cant download the antivirus database.

The error message " Download of Windows Cloud Next Gen failed from server http://dci.sophosupd.com/cloudupdate. "

It happened from 12 Oct 2015 until now?

Anyone have a same problem?

Regards,

Arthur

  • We have the same issue. Reported it to Support. Nothing back from them yet.
  • None of my updates have been working since July.
  • We have this issue on several clients, a temporary solutions seems to just uninstall/restart/install Sophos, what is honestly, ridiculous! Even rolling out a newer Sophos Clientinstall version through the Logonscript/GPO isn't solving the issues.

    More weird, it's not on every Client, we have clients within the same LAN segment (using the same internet connection etc.) that are having this issue, others just don't and are working fine.

    Sounds like a big joke to me.

    We need a solution for this, asap! Didn't contact support yet, but reading here that several people have the issue and the support never came back to them isn't a good sign, or is there anything new on this issue?

    The KB is a joke about this! I can PING the server, I can connect to it without the /cloudupdate or /update path... this isn't funny at all!
  • In reply to FlorianRossmark:

    What does it say for the last failed update attempt in the AutoUpdate log file?

    It might be easiest to rename the current log file:

    C:\ProgramData\Sophos\AutoUpdate\Logs\sophosupdate.log

    Then initiate an update to generate a new log just containing the last update.

    Can someone paste the contents here or link to it?

    Are the clients going through a proxy performing caching?
    Is there a common web proxy in the mix here?

    Regards,
    Jak
  • In reply to jak:

    It is interesting, we started a support request over our Cloud-Login and never got an reply, but we got one here...

    The Log looks like the following, a few things to mention:
    - no proxy
    - several clients on the same IP segment, some update, some don't
    - Clients are all Win7 and configured all the same
    - if I remember it right, some Sophos have been manually uninstalled and re-installed and worked for a bit but also tend to show the same issues again
    - in the end we have several sites, even mobile clients, some update (or at least seem to) and some don't - what makes me really think is that they are still able to talk to the cloud and tell the cloud, hey, I couldn't download the files... if there would be a configuration error or what so ever, why doesn't the cloud just fix it? I don't see a reason that so many clients have issues and are totally out of date, that's no protection at all...

    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain =========================
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain SophosUpdate is starting.
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain AutoUpdate version : 4.0.5.39
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain SophosUpdate version : 4.0.5.16
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Build : 98074
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain =========================
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Set process security
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Initialise COM.
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Load config.
    2016-02-23T18:03:28.675Z [ 8660] INFO `anonymous-namespace'::ReadFileContents Slurping file of size 868 bytes.
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Create registry reporter.
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Load state.
    2016-02-23T18:03:28.675Z [ 8660] INFO StatePersister::Load Loading state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2016-02-23T18:03:28.675Z [ 8660] INFO WinMain Create progress reporter.
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create language neutral logger.
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create downloader.
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create installer.
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create adapter writer.
    2016-02-23T18:03:28.690Z [ 8660] INFO IPCBase::IPCBase IPCBase::IPCBase: Connected to shared memory A32951C539924a12B3C8F2FDA5A268E4
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create completion reporter.
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Create update logic.
    2016-02-23T18:03:28.690Z [10076] INFO `anonymous-namespace'::SenderThreadFn::operator() Sender thread started.
    2016-02-23T18:03:28.690Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend started
    2016-02-23T18:03:28.690Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
    2016-02-23T18:03:28.690Z [ 8660] INFO WinMain Performing update.
    2016-02-23T18:03:28.690Z [ 8660] INFO UpdateLogic::Update Reporting update start.
    2016-02-23T18:03:28.690Z [ 8660] INFO IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
    2016-02-23T18:03:28.690Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
    2016-02-23T18:03:28.690Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
    2016-02-23T18:03:28.690Z [ 8660] INFO UpdateLogic::SyncAndInstall Syncing products.
    2016-02-23T18:03:28.690Z [ 8660] INFO SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.com/cloudupdate
    2016-02-23T18:03:28.690Z [ 8660] INFO SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.net/cloudupdate
    2016-02-23T18:03:28.690Z [ 8660] INFO SDDSDownloader::SyncInternal Username: W6PF9X7CJA
    2016-02-23T18:03:28.690Z [ 8660] INFO SDDSDownloader::SyncInternal No manually configured proxy.
    2016-02-23T18:03:28.690Z [ 8660] INFO WindowsProxyDiscoveryWrapper::GetDefaultProxyConfiguration WinHttp default proxy not set
    2016-02-23T18:03:30.999Z [ 8660] WARN WindowsProxyDiscoveryWrapper::GetProxyForUrl Failed to get the automatic proxy configuration. The error code was 12180.
    2016-02-23T18:03:31.140Z [ 8660] INFO ProgressReporter::UpdateDetails Product: {E17FE03B-0501-4aaa-BC69-0129D965F311}, updateSize = 0
    2016-02-23T18:03:31.155Z [ 8660] INFO SUL-Log [I96736] Looking for package cd2a5386-f08c-42b1-8d98-40240059e361 RECOMMENDED 1
    2016-02-23T18:03:31.155Z [ 8660] INFO SUL-Log [I19463] Syncing product cd2a5386-f08c-42b1-8d98-40240059e361 418
    2016-02-23T18:03:31.155Z [ 8660] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-02-23T18:03:31.155Z [ 8660] INFO UpdateLogic::SyncAndInstall Saving state.
    2016-02-23T18:03:31.155Z [ 8660] INFO StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2016-02-23T18:03:31.155Z [ 8660] INFO UpdateLogic::SyncAndInstall Skipping product install as Sync failed.
    2016-02-23T18:03:31.171Z [ 8660] INFO IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>ESHSXP</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR: Download of ESHSXP failed from server dci.sophosupd.com/.../Config>
    2016-02-23T18:03:31.171Z [ 8660] INFO WinMain SophosUpdate has completed with the result 0.
    2016-02-23T18:03:31.171Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>ESHSXP</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR: Download of ESHSXP failed from server dci.sophosupd.com/.../Config>
    2016-02-23T18:03:31.171Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
    2016-02-23T18:03:32.185Z [10076] INFO IPCSender::ProcessSend IPCSender::ProcessSend exiting
    2016-02-23T18:03:32.185Z [10076] INFO `anonymous-namespace'::SenderThreadFn::operator() Sender thread finished.
    2016-02-23T18:03:32.185Z [ 8660] INFO StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
  • In reply to FlorianRossmark:

    These lines look odd, I would have thought rather than the GUID - cd2a5386-f08c-42b1-8d98-40240059e361
    that should be the friendly name for the package.

    2016-02-23T18:03:31.155Z [ 8660] INFO SUL-Log [I96736] Looking for package cd2a5386-f08c-42b1-8d98-40240059e361 RECOMMENDED 1
    2016-02-23T18:03:31.155Z [ 8660] INFO SUL-Log [I19463] Syncing product cd2a5386-f08c-42b1-8d98-40240059e361 418

    If you look under the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\Service\CloudSubscription
    Does it look like this:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\Service\CloudSubscription]
    "RigidName"="WindowsCloudNextGen"
    "Tag"="RECOMMENDED"
    "BaseVersion"="11"

    Regards,
    Jak
  • In reply to jak:

    No, those are the entries:

    (Default)=(value not set)
    BaseVersion=1
    RigidName=cd2a5386-f08c-42b1-8d98-40240059e361
    Tag=RECOMMENDED

    So the Version as well as the RigidName are totally different to what you write...

    I checked it on my own machine and found it looks like your version, but this can't have to do with any GPO or other settings. We have several clients that aren't even connected to our ActiveDirectory Domain, they run as stand-a-lone clients, and they have similar issues. If there is something wrong, it is because Sophos itself has issues, and sorry - we can't just overwrite those Registry settings, for that we would need all the clients to be connected to the AD besides that those are specific Sophos values.

    And yes, it is odd - the Cloud itself tells us that the client doesn't have a current update, we can't do much in the Admin-Console, we don't get a lot information there either. The client shows as still communicating with the Admin-Console, so the issue is somewhere else. And asking Google brings forward that many people seem to experience similar issues.

    We need a solution for this, and quick.

    Btw. the Admin-Console should rather send out information about this like daily summaries etc. - instead we need to log on and do a review that also is pretty complicated compared to other vendors. Worse, we barely realized that 1/3 of our clients isn't up to date anymore, that's horrible. A working Antivirus solution is essential!
  • In reply to FlorianRossmark:

    A week later, support answer and revers to this link: www.sophos.com/.../121174.aspx

    Well - it's not that we didn't look into that already a long time ago. We have way to many clients that don't update, this is not caused by a GPO nor anyhow explainable. It is not a Proxy or anything else. We talk even about separate Internet Connections etc...

    So far, I got the better support here - still I will reply to them with the SDU.log they requested.

    Any other ideas what is going on here?
  • In reply to FlorianRossmark:

    Hello,  

    Did the message I sent you help?

    Regards,

    Jak

  • In reply to jak:

    Hello Jak,

    You only asked for the RegKey's, or did I miss something? We replied to this but still don't have a solution.

    Thank you for asking!

  • In reply to FlorianRossmark:

    Do you have a friendship request from me?  It should have a private message.

    Regards,

    Jak

  • Was there any resolution on this? Im having the same issue, only affects some computers. I have logged a support request.

  • In reply to DaveCoughlan:

    Hi Dave,

    Our working solution was deactivating the Tamper-Protection per failed client. Then just re-run the Setup (Login-Script / Remote-Install Tools like "PDQ Deploy" or manually) and about 30 Minutes later the Client should be working normal again.

    We didn't always need restarts of the Clients, some just went back to normal after those steps.

    Now, as far as my understanding goes, the Tamper-Protection protects any RegKeys and Files from being changed. What happens here is according to the Support that the Tamper-Protection is activated before the Installation is finished, in this case a Software-Update Installation. Sure someone might think this looks like the Software protects itself of being updated - but who am I to judge this :-).

    Let me know if this helped you, I might now a few other tricks.

    Florian

  • In reply to FlorianRossmark:

    Hi Florian,

    Thanks for the response, disabling tamper-protection and re-installing worked on a couple of machines but I still have a few which wont update. Out of 8 test machines, 3 installed first go, 2 installed on second go and 3 are still not updating.

    I am using DesktopCentral to deploy the package, DesktopCentral returns error 146 "The specified path is being used in a substitute". This is the response for all machines, whether successful or not, so it may mean nothing.

    I have updated logs to Sophos but Im still waiting on a response.

    Thanks in advance!

    Dave

  • In reply to DaveCoughlan:

    Just an update on this, it seems that our Sophos UTM was blocking some traffic. Weird how some computers were ok and some werent.