Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 3 subscribers
  • Views 7870 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

All Clients "Not compliant"

scorpionking
Hi folks!

Next problem with Endpoint Protection... [:)]

All my clients show as [Not compliant] with description "SAV policy is not compliant":


The Administration Guide says:
The status Not Compliant indicates that the device's settings are currently not the same as configured on the UTM. To resolve this problem you find a link in the window to send the current endpoint settings to the endpoint.


So I click on "Resolve" and the status turns to [OK].
The log shows:
2012:09:23-18:46:13 vpn epsecd[13764]: D Epsec::Utils::Logging::_log:59() => id="4245" severity="debug" sys="System" sub="epsecd" name="Sent comply with action" mcs_id=""


But a few minutes later all devices are [Not compliant] again for the same reason.
Here the log shows:
2012:09:23-18:46:53 vpn epsecd[13764]: W Epsec::Utils::Logging::_log:59() => id="4234" severity="warn" sys="System" sub="epsecd" name="Endpoint is not compliant" mcs_id=""
2012:09:23-18:46:53 vpn epsecd[13764]: D Epsec::Utils::Logging::_log:59() => id="4228" severity="debug" sys="System" sub="epsecd" name="Updated AGENT info in the DB" mcs_id=""


What can I do?


This thread was automatically locked due to age.
  • 0
    Seems I've got a problem that noone else has had before... [;)]

    Is there any log on the client where I can check if something is failing?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking
    Seems I'm talking to myself in this thread... [;)]

    Sadly it helps! [:D]

    I think I found the "error":
    I had defined some exceptions for my servers (UNC Path) like described in the Online Help:
    Scanning exclusions: If selected, you can exclude a file, a folder, or a network drive from antivirus scanning. Enter the file, folder, or network drive in the File/Path field, e.g., C:\Documents or \Server\Users\Documents\CV.doc


    But an exclusion like 
    \servername

    or 
    \servername\Share

    seems not to be valid.

    I digged in my client's file system for meaningful logs and found some under "C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs".
    McsAgent.log showed lines like: 
    2012-09-25T19:21:34.186Z [ 5460] INFO  AdapterLogger::Information SAVXP Adapter: Exclusion \servername\ is not valid for SAVXP/2K/2003, this part of the policy cannot be applied.


    Removed all exclusions with UNC Paths, waited some minutes and all clients were in state [Ok] again!

    So please Sophos take out that part of the online help or, better, add a warning. Else it produces errors like these...

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking
    Interesting, that is good to know.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    @Scorpionking,

    Thanks for reporting.  What is the exact UTM version are you running?

    -Jason
  • 0
    Seems I'm talking to myself in this thread... [;)]

    Sadly it helps! [[:D]]

    Well, it appears to have been an intelligent conversation... [[:D]]

    I'm waiting a bit before I install this in production, and don't have it installed in the lab at present.  Are you saying that you deleted all exclusions that began with "\servername" and left only those like "F:\Users\Administrator\" or that you eliminated all?

    Also, does this problem occur only on XP and Server 2003 and earlier servers, or does it apply also to Win7 and Server 2008R2?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Are you saying that you deleted all exclusions that began with "\servername" and left only those like "F:\Users\Administrator\" or that you eliminated all?

    Only those beginning with "\servername" (UNC paths), exclusions like "F:\..." are working.

    Also, does this problem occur only on XP and Server 2003 and earlier servers, or does it apply also to Win7 and Server 2008R2?

    The mentioned log is from a Win7 machine, but the problem also appeared on Server 2008 R2 and Windows XP.

    @jays: UTM 9.002-12 (latest Up2Date).

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    @Scorpionking,

    I have submitted a bug report to our devs.  Does it work with a share name with a trailing slash (i.e. \servername\share\)?
  • 0
    Some feedback from QA:
    “I believe this is a documentation bug. SAV exclusions can be setup for drives, folders, files and all remote drives. \servername does not map to any of these. You would need to specify the drive or share name first.”

    As jays suggested, it should work with "\servername\share\" I just tested on my systems, and it works with the trailing slash, but fails to apply to the clients without it.
  • 0
    Hey Boys and Girls.

    i have a question. sophos writes:
    “I believe this is a documentation bug. SAV exclusions can be setup for drives, folders, files and all remote drives. \servername does not map to any of these. You would need to specify the drive or share name first.”

    Is there a way to notate an exclusion for ALL remote folders? The Sophos Enterprise Console got a checkbox to enable this option. But on the utm endpoint i didnt find this option.

    thanks for answers
  • 0
    You're right, Thomas, Endpoint isn't yet completely integrated into UTM.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML