[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

We have noticed that since the new update has been rolled out, c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml no longer exists. This is a problem as we monitor the contents of this file with our client monitoring systems (Solarwinds) to ensure that nothing untoward is going on with our customers AV and everything is up to date. Can you please advise how best to now do this since the file has been removed / retired?

Example;

Customer: *************
Device: *************
Device IP *************
Service: Log Analysis (Batch) - c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml
State Transition: From Normal To Warning
Time Of State Transition: 2019-05-15 09:11:56
Notification: Priority 2 (0 mins – 24/7 Checks)

Alert Trigger: difference in minutes between the last parsed dateline of the file and the local time of the test

Service Details:
File Size: 684.00 B
Regular Expression 1: False
Regular Expression 2: False
Time Offset between Local Device and GMT: 1
Difference in minutes between the last parsed dateline of the file and the local time of the test: 1.00 days
Number of Lines in the File: 22.00 Lines
File creation date: 2018-04-22 12:13:36
File modification date: 2019-05-14 09:06:58
Last Parse-able Date in Log (GMT): 2018-04-22 12:13:36
The line count matched regex 1: 0.00 Lines
The line count matched regex 2: 0.00 Lines

We have noticed that since the new update has been rolled out, c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml no longer exists. This is a problem as we monitor the contents of this file with our client monitoring systems (Solarwinds) to ensure that nothing untoward is going on with our customers AV and everything is up to date. Can you please advise how best to now do this since the file has been removed / retired?

Example;

Customer: *************
Device: *************
Device IP *************
Service: Log Analysis (Batch) - c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml
State Transition: From Normal To Warning
Time Of State Transition: 2019-05-15 09:11:56
Notification: Priority 2 (0 mins – 24/7 Checks)

Alert Trigger: difference in minutes between the last parsed dateline of the file and the local time of the test

Service Details:
File Size: 684.00 B
Regular Expression 1: False
Regular Expression 2: False
Time Offset between Local Device and GMT: 1
Difference in minutes between the last parsed dateline of the file and the local time of the test: 1.00 days
Number of Lines in the File: 22.00 Lines
File creation date: 2018-04-22 12:13:36
File modification date: 2019-05-14 09:06:58
Last Parse-able Date in Log (GMT): 2018-04-22 12:13:36
The line count matched regex 1: 0.00 Lines
The line count matched regex 2: 0.00 Lines

Hi Richie,

Are you sure that the file no longer exists? Its still there on my machine. However, we have stopped writing to it, so this is likely the cause of the issue you see. Are you able to use the registry for this purpose? HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus

Regards,

Stephen

StephenMcKay said:

Hi Richie,

Are you sure that the file no longer exists? Its still there on my machine. However, we have stopped writing to it, so this is likely the cause of the issue you see. Are you able to use the registry for this purpose? HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus

Regards,

Stephen

Thanks Stephen. We shall take a look at the registry item you have mentioned and see how we can change our monitoring to accommodate.