Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com∕update.

We see this a fair bit for no obvious reason and no common reason i.e. mix of clients, mix of locations, internet access works.

Doesn't appear to have any practical impact other than being an annoyance in the logs.

Any ideas what's causing it please?

  • In reply to Patrick Mulvehill:

    Hi Patrick,

    2017-05-19T17:47:23.551Z [13340] ERROR ProductInstaller::RunUpdateCheck Endpoint is not currently updateable. Aborting endpoint update
    2017-05-19T17:47:23.551Z [13340] INFO ProductInstaller::RunUpdateCheck Endpoint must be rebooted.

    ..

    2017-05-19T17:47:23.555Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5

    I believe the first check which has resulted in:

    Endpoint is not currently updateable

    is if the process (SophosUpdate.exe) can open the key:
    hklm\system\currentcontrolset\service\sophos autoupdate service

    I think it then goes on to query the description value and maybe set it.

    The process that kicks of SophosUpdate is the Sophos AutoUpdate service (alsvc.exe).  This runs as system and so does sophosupdate as a child process so I don't know why it would have issues.

    I would start by checking:

    1. The Sophos AutoUpdate service is running as system user 

    2. SophosUpdate.exe when launched is running as System.  

    Process Explorer from Sysinternals would be good for these checks.

    3. Check the above key, specifically for the effective rights of the System user.

    Beyond that, have you tried restarting the computer given the next line:
    Endpoint must be rebooted.

    Maybe do that first and then the above.

    Regards,

    Jak

     

  • In reply to jak:

    After lots of testing over the weekend, it appears that my Sonicwall Gateway protection software sees everything that Sophos does as a threat. I am trying to fight through all of the different threat alerts to whitelist the traffic, but it is taking a lot of time. I will post an update if that ends up fixing everything.

    Meanwhile, I have one computer that I want to try uninstalling and reinstalling the agent on. However, it says that I can't because tamper protection is on. The problem is that even after turning the protection off, it still won't uninstall. Any tips on how to remove a stubborn instance of the agent?

    Patrick

  • In reply to jak:

    Hello Jak,

    Where is Sophos at with SonicWALL to resolve this false positive? This thread is over 6 months old yet it is still happening (brand new customer here, ran into the same issue).

    Thanks,

    Karl

  • In reply to Karl Julson:

    I suspect you'd have to get in touch with SonicWall if there rules keep detecting legitimate files.  I'm not familiar with their products but maybe you can make exclusions from the Sophos domains sophosupd.com and sophosupd.net to prevent it happening in the meantime.

    A quick search on Google turned up this page:

    https://support.sonicwall.com/kb/sw7833

    If you can download the blocked file and send it to them with details of the detection rule it fired on that should get things rolling.

    Regards,

    Jak

     

     

     

     

  • In reply to jak:

    Is this a configuration issue? It's identifying Sophos as a trojan. I guess I am just curious why this is something that we have to take care of spending an hour or two on the phone with them, or opening up our external firewall when the program itself is being identified as an issue. In the past, when Sonicwall was blocking a program by grandMA, they contacted their support and handled the issue.

    Is it wrong to expect the same level of support from Sophos?

  • I'm a new Sophos user as well. I am just in the process of switching over to end point protect and then will be swapping out our sonicwall for a sophos xg.  I just resolved this by adding the cloud av signiture ID 55394638 to the exclusion list.  In your sonicwall control panel go to =>Security services=>Gateway Anti-virus, scroll down and click on the button "Cloud AV DB exclusion settings" and add 55394638 to the list.  

  • In reply to Garrett:

    There is another way to resolve this.

    White-list a group of trusted Sophos Sites (domains/URLs) and add them to a SonicWALL firewall to bypass the SonicWALL Cloud AntiVirus scanning security and allow for proper installation/update of the Sophos products. Add the following list of Sophos sites as FQDN WAN objects to the SonicWALL firewall:

    *.sophos.com

    *.sophosupd.com

    *.sophosupd.net

    *.sophosxl.net

    ocsp2.globalsign.com

    crl.globalsign.com

     

  • In reply to jak:

    We have the same problem. I've try this and able to download "http://d1.sophosupd.com/update/537a1ca1123a7e6dc6d6127bae7df5fex000.dat" but unable to paste it to "C:\ProgramData\Sophos\AutoUpdate\data\warehouse\". Its says i need permission. Im using administrator account.

  • In reply to Berhad TA Securities Holdings:

    You could try using an administrative command prompt to copy the file into place.  The other possible cause is that Tamper Protection is preventing you writing to what would be a protected area. 

    Can you disable TP and try again if it is enabled?

    Maybe worth checking if Tamper Protection, i.e. Sophos Endpoint Defense component installed?

    In an admin prompt, does running:
    fltmc

    list 

    Sophos Endpoint Defense

    Regards,
    Jak

  • In reply to jak:

    Hello,

     

    we have the same problem.

     

    I just downloaded the "http://d1.sophosupd.com/update/537a1ca1123a7e6dc6d6127bae7df5fex000.dat" but I’m unable to copy the file in the share "C:\ProgramData\Sophos\AutoUpdate\data\warehouse\".

     

    After deactivating the temper protection, it is possible to copy the file.

     

    What can we do? We have this issues on a bunch of systems. 

     

    Firewall is a XG. 

     

    Thank you.

     

    Michael Kreymborg

  • In reply to Michael Kreymborg:

    Normally to fix this issue for me, I have to disable automatic updates from Global Settings > Endpoint Protection > Controlled Updates.

    If I configure to update manually, then push an update, it will succeed.

    If automatic updates are turned on, it will fail almost every time.

  • In reply to Patrick Mulvehill:

    I see a number of errors that seem to revolve around registry keys:

    2017-05-19T17:47:23.551Z [13340] ERROR ProductInstaller::RunUpdateCheck Endpoint is not currently updateable. Aborting endpoint update
    ...
    2017-05-19T17:47:23.552Z [13340] ERROR RegistryReporter::SetHealthEvent Could not create SOFTWARE\Sophos\AutoUpdate\UpdateStatus\HealthEvents\e6b6976e-6362-4fe0-aa04-c7b3856e7272 with error: 5
    2017-05-19T17:47:23.553Z [13340] ERROR SDDSDownloader::ReportSyncFailure Aborting update.
    ...
    2017-05-19T17:47:23.555Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5
    ..
    2017-05-19T17:47:23.557Z [13340] WARN RegistryReporter::StoreUpdateDetails StoreUpdateDetails[SDU]: failed to delete subkey: 5
    2017-05-19T17:47:23.558Z [13340] ERROR RegistryReporter::SetUpdateStatus SetUpdateStatus: Failed to write LastUpdateTime:5
    2017-05-19T17:47:23.558Z [13340] ERROR RegistryReporter::SetUpdateStatus SetUpdateStatus: Failed to write Result:5
    2017-05-19T17:47:23.558Z [13340] ERROR RegistryReporter::SetUpdateStatus SetUpdateStatus: Failed to write FallbackInUse: 5
    2017-05-19T17:47:23.559Z [13340] ERROR RegistryReporter::SetUpdateStatus SetUpdateStatus: Failed to write FirstFailedUpdateTime: 5
    ..
    2017-05-19T17:47:24.563Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:24.564Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:24.565Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:24.565Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5

    I suspect if you run Process Monitor - docs.microsoft.com/.../procmon - during an update, you might see Access Denied results for registry operations on the keys under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos

    So either there are permission issues on the registry keys (although as the process is running as System it should be ok) or possibly Sophos Endpoint Defense (SED) is blocking them which would be odd.  If that is the case, you might see entries in the SED log file.  C:\ProgramData\Sophos\Endpoint Defense\Logs\sed.log.

    Regards,
    Jak