This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com∕update.

We see this a fair bit for no obvious reason and no common reason i.e. mix of clients, mix of locations, internet access works.

Doesn't appear to have any practical impact other than being an annoyance in the logs.

Any ideas what's causing it please?



This thread was automatically locked due to age.
Parents
  • We see this quite frequently as well, for no apparent reason.  Is there any resolution?

  • What is in the following log files:

    • %temp%\Sophos Endpoint Bootstrap_(datetime).txt
      Note: It's the temp directory of the installing user.  If SophosInstall.exe was ran as System (AD startup-script), it would be in %windir%\temp\ for example.
    • %programdata%\Sophos\Management Communications System\Endpoint\Logs\McsClient.log
    • %programdata%\Sophos\AutoUpdate\logs\SophosUpdate.log


    The Sophos Endpoint Bootstrap log will have the initial validation checks to the update source and the management servers.
    The McsClient.log will have if the computer was able to register (did it get an endpoint ID, did it get the needed updating policy and credentials to provide Sophos AutoUpate). 
    The SophosUpdate.log will detail if the computer has credentials and why it can't update when it tries to download files.

    Regards,

    Jak

  • Can you Pastebin or share out your SophosUpdate.log from the \progradata\sophos\autoupdate\logs directory?

  • Hi Patrick,

    2017-05-19T17:47:23.551Z [13340] ERROR ProductInstaller::RunUpdateCheck Endpoint is not currently updateable. Aborting endpoint update
    2017-05-19T17:47:23.551Z [13340] INFO ProductInstaller::RunUpdateCheck Endpoint must be rebooted.

    ..

    2017-05-19T17:47:23.555Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5

    I believe the first check which has resulted in:

    Endpoint is not currently updateable

    is if the process (SophosUpdate.exe) can open the key:
    hklm\system\currentcontrolset\service\sophos autoupdate service

    I think it then goes on to query the description value and maybe set it.

    The process that kicks of SophosUpdate is the Sophos AutoUpdate service (alsvc.exe).  This runs as system and so does sophosupdate as a child process so I don't know why it would have issues.

    I would start by checking:

    1. The Sophos AutoUpdate service is running as system user 

    2. SophosUpdate.exe when launched is running as System.  

    Process Explorer from Sysinternals would be good for these checks.

    3. Check the above key, specifically for the effective rights of the System user.

    Beyond that, have you tried restarting the computer given the next line:
    Endpoint must be rebooted.

    Maybe do that first and then the above.

    Regards,

    Jak

     

  • After lots of testing over the weekend, it appears that my Sonicwall Gateway protection software sees everything that Sophos does as a threat. I am trying to fight through all of the different threat alerts to whitelist the traffic, but it is taking a lot of time. I will post an update if that ends up fixing everything.

    Meanwhile, I have one computer that I want to try uninstalling and reinstalling the agent on. However, it says that I can't because tamper protection is on. The problem is that even after turning the protection off, it still won't uninstall. Any tips on how to remove a stubborn instance of the agent?

    Patrick

  • Hello Jak,

    Where is Sophos at with SonicWALL to resolve this false positive? This thread is over 6 months old yet it is still happening (brand new customer here, ran into the same issue).

    Thanks,

    Karl

  • I suspect you'd have to get in touch with SonicWall if there rules keep detecting legitimate files.  I'm not familiar with their products but maybe you can make exclusions from the Sophos domains sophosupd.com and sophosupd.net to prevent it happening in the meantime.

    A quick search on Google turned up this page:

    https://support.sonicwall.com/kb/sw7833

    If you can download the blocked file and send it to them with details of the detection rule it fired on that should get things rolling.

    Regards,

    Jak

     

     

     

     

  • Is this a configuration issue? It's identifying Sophos as a trojan. I guess I am just curious why this is something that we have to take care of spending an hour or two on the phone with them, or opening up our external firewall when the program itself is being identified as an issue. In the past, when Sonicwall was blocking a program by grandMA, they contacted their support and handled the issue.

    Is it wrong to expect the same level of support from Sophos?

  • There is another way to resolve this.

    White-list a group of trusted Sophos Sites (domains/URLs) and add them to a SonicWALL firewall to bypass the SonicWALL Cloud AntiVirus scanning security and allow for proper installation/update of the Sophos products. Add the following list of Sophos sites as FQDN WAN objects to the SonicWALL firewall:

    *.sophos.com

    *.sophosupd.com

    *.sophosupd.net

    *.sophosxl.net

    ocsp2.globalsign.com

    crl.globalsign.com

     

  • We have the same problem. I've try this and able to download "http://d1.sophosupd.com/update/537a1ca1123a7e6dc6d6127bae7df5fex000.dat" but unable to paste it to "C:\ProgramData\Sophos\AutoUpdate\data\warehouse\". Its says i need permission. Im using administrator account.

Reply Children
  • You could try using an administrative command prompt to copy the file into place.  The other possible cause is that Tamper Protection is preventing you writing to what would be a protected area. 

    Can you disable TP and try again if it is enabled?

    Maybe worth checking if Tamper Protection, i.e. Sophos Endpoint Defense component installed?

    In an admin prompt, does running:
    fltmc

    list 

    Sophos Endpoint Defense

    Regards,
    Jak

  • Hello,

     

    we have the same problem.

     

    I just downloaded the "http://d1.sophosupd.com/update/537a1ca1123a7e6dc6d6127bae7df5fex000.dat" but I’m unable to copy the file in the share "C:\ProgramData\Sophos\AutoUpdate\data\warehouse\".

     

    After deactivating the temper protection, it is possible to copy the file.

     

    What can we do? We have this issues on a bunch of systems. 

     

    Firewall is a XG. 

     

    Thank you.

     

    Michael Kreymborg

  • Normally to fix this issue for me, I have to disable automatic updates from Global Settings > Endpoint Protection > Controlled Updates.

    If I configure to update manually, then push an update, it will succeed.

    If automatic updates are turned on, it will fail almost every time.

  • Yup....got this same error......and keeps happening time and time again. A real pain in the *sss.

     

    I have gone into "Controlled Updates". But I do not see anywhere one can PUSH the update to any clients?

    How is this accomplished?

    Only TWO options here:

    View release notes, which takes you to Sophos website.

    Manage Computers: The ONLY thing that can be done is add\remove computers.

     

    Where is the PUSH...button?? I am curious as to how this is accomplished.