This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EP can't update on all clients

Hi guys

At two different sites, I have an UTM Home running on identical hardware and firmware (currently 9.315-2), but of course an independent license.

[:)] At Site A, there are 3 clients with "Endpoint Protection" installed. They are updating themselves frequently and are currently running version 11.0.5 UTM.

[:@] At Site B, there are 6 clients (Windows 7) with "Endpoint Protection" installed. They all recently started showing up as "Out-of-date" in the Endpoint Protection Status - investigation shows that they all stopped receiving updates around July 27/28 and are still running version 10.3 UTM.

The following messages are visible in the log at all Site B clients upon the hourly update check:

Zeit: 20.09.2015 17:49:08
Meldung: AutoUpdate abgeschlossen
Zeit: 20.09.2015 17:49:08
Meldung: Download-Phase abgeschlossen
Zeit: 20.09.2015 17:49:08
Meldung: FEHLER:   Endpoint Security and Control konnte nicht von Server Sophos heruntergeladen werden
Zeit: 20.09.2015 17:49:05
Meldung: Download von Produkt Endpoint Security and Control vom Server Sophos
Zeit: 20.09.2015 17:49:02
Meldung: ***************          Sophos AutoUpdate gestartet          ***************

It states that it can't download "Endpoint Security and Control" from server.

However, when I trigger an update manually by right-clicking on the taskbar logo and "Jetzt updaten (Update now)", a window opens up which shows that it is actually downloading a file (see attachment "sophos01.png") before the messages changes into "Keine Verbindung zum Server (No connection to server)" (see attachment "sophos02.png").

Things I've tried already with no success:
- Reset the registration token for Endpoint Protection at the affected UTM.
- Disabled the Windows Firewall.
- Made the client bypass the proxy.
- Checked the Windows Event Viewer for related events.

Recently installed Endpoint Protection can't even get the actual software downloaded.

Is there a way to get a more detailed log from the Endpoint Protection? The fact that it tells me it "can't download the file" but is actually downloading confuses me...

What could be the cause of this situation?
How might I be able to fix it?

Every reply is greatly appreciated!

Have a great day!


This thread was automatically locked due to age.
  • Try a google on site:astaro.org/gateway-products/endpoint-protection-antivirus-device-control update "11.0" - any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the advice, BAlfson.

    I have already searched the board for similar problems, but there is no solution that helped in my case.

    The IPS didn't interfere with the updates. There are no such entries in the log file. Even disabling IPS doesn't help.

    Also, I've tried to download the installer by replacing the string "slim" at the end of the URL with "full" - and while that actually installs the EP, it is only giving me the version 10.3. 

    Any help is appreciated.
  • I went over to one of the clients and did a Wireshark trace today while performing the update. See attached screenshot.

    It tried to pull a "sddsconf.xml" from two different servers and got a 404 (file not found) reponse back from both. Is this normal behaviour?
  • hi, 

    according to your trace the Client tries to get the file from the internet... as far as i know the first updatesource should be the UTM ... maybe thats the problem ... is the client showed as "online" in the UTM when it should be ? 

    *EDIT* 
    maybe the cache on the UTM is corrupted for the EP Install files ? 
    **

    regards,
    chris
  • cbka, thanks for your post.

    Last weekend, I had done a reinstallation of the UTM (using the newest ISO) and restored the backup of the configuration afterwards. Unfortunately, it didn't help.

    I also did reset the UTM ID, waited for two days and tried the installation again. Then, it wouldn't even have username and password information in the Endpoint "Primary Path" settings...

    Everything is really strange... The next and last thing I can think of is another reinstallation and manual configuration of the UTM.

    Any other suggestions anyone?
  • Hello everyone,

    it seems that the problems are back again since a week now. Having the same issue, it doesn't matter on which system/windows/location you install the given package from the UTM AV console (URL or download).
    SLIM or FULL, both doesn't update after install or won't download (slim) the Antivirus software due to the connection error.

    We created a ticket at Sophos Support (8084976) a couple of days ago and already had some phone conversations about this with remote sessions. Now waiting on the results/answer.
    For now, it looks like the downloaded package is v10 and doesn't update, but if we already have v11 working, the updates works...

    Regards, Sander.

     

    2018-05-03T09:41:24.506Z [ 9136] INFO  SUL-Log [I96736] Looking for package cd2a5386-f08c-42b1-8d98-40240059e361 RECOMMENDED 1
    2018-05-03T09:41:24.506Z [ 9136] ERROR SUL-Log [E21569] Couldn't authenticate user for resource with host server. URL was: http://dci.sophosupd.com/cloudupdate
    2018-05-03T09:41:24.506Z [ 9136] INFO  SUL-Log [I23158] No proxy was used.
    2018-05-03T09:41:24.506Z [ 9136] INFO  SUL-Log [I96736] Looking for package cd2a5386-f08c-42b1-8d98-40240059e361 RECOMMENDED 1
    2018-05-03T09:41:24.506Z [ 9136] ERROR SUL-Log [E35364] Out of update sources
    2018-05-03T09:41:24.506Z [ 9136] ERROR SDDSDownloader::ReportSyncFailure Failed to synchronise
    2018-05-03T09:41:24.521Z [ 9136] INFO  StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2018-05-03T09:41:24.521Z [ 9136] INFO  UpdateLogic::SyncAndInstall Skipping product install as Sync failed.
    2018-05-03T09:41:25.556Z [ 9136] INFO  IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>ESHSXP</Insert><Insert>http://dci.sophosupd.com/cloudupdate</Insert></ErrorMessage><ReadableMessage>ERROR:   Download of ESHSXP failed from server http://dci.sophosupd.com/cloudupdate</ReadableMessage></Config>
    2018-05-03T09:41:25.556Z [ 9136] INFO  WinMain SophosUpdate has completed with the result 0.
    2018-05-03T09:41:25.556Z [ 8720] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>ESHSXP</Insert><Insert>http://dci.sophosupd.com/cloudupdate</Insert></ErrorMessage><ReadableMessage>ERROR:   Download of ESHSXP failed from server http://dci.sophosupd.com/cloudupdate</ReadableMessage></Config>

  • Hoi Sander - first I've seen you here - welcome to the UTM Community!

    I think this is an error that can be repaired by using [Reset Registration Token] on the 'Advanced' tab.  I believe that requires re-installing the Endpoint on all of the PCs though.

    Here's a batch file I've used to un-install Sophos Endpoint on Win7.  Note that you must delete two lines depending on whether you're removing V10 or V11.

     @Echo Off
     net stop "Sophos AutoUpdate Service"
     net stop "Sophos Anti-Virus"
     net stop "Sophos Anti-Virus status reporter"
     net stop "Sophos Device Control Service"
     net stop "Sophos MCS Agent"
     net stop "Sophos MCS Client"
     net stop "Sophos Web Control Service"
     net stop "Sophos Web Intelligence Update"
     net stop "swi_service"
     net stop "swi_update_64"
    REM Sophos Management Communications system - DELETE for V11 - KEEP for V10 -
     MsiExec.exe /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos Management Communications system - DELETE for V10 - KEEP for V11 -
    REM MsiExec.exe /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179}
    REM Sophos Anti-Virus
     MsiExec.exe /X{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos AutoUpdate
     MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt

    Before resetting the token on the 'Advanced' tab, what happens if you uninstall using the batch file and reinstall the client?  Did that fix the issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    We did already the steps with support. Reset the token, cleaned the installation and even used a new server install, but the same results.

    Even tried it with different UTM's (we are a large reseller).

    Regards, sander.

  • Just received a few updates from the Sophos Support Team. I looks like there a couple of issues with the installer(s).

    Development is now working to resolve the known issues. If I have more information, I will let it know.

    Sander.

  • Hi,

    i want to bring this up again.

    2 weeks ago i installed the last new Win client and all was fine.

    today i installed another new PC and now i run into the same Problem like here discribed.

     

    When installing slim package, only Updater is installed not AV

    Full package AV 10.3 is installed but fails on Update.

    I try´d diff. Settings, Win7, Win10 1709, 1803 all the same.

    Older clients who are already on 11.x working fine.

     

    So the Problem is the Upgrade from 10.3 to 11 on install.

    Another Question, why there is no 11.x Install ?