Endpoint won't update, register or even delete from the UTM 9.506-2

I have been fighting with an issue with using Endpoint Protection, and I'm convinced that the issue isn't on my end so I really need some help in resolving this.

 

Almost 2 weeks ago I discovered that the agent's weren't getting updates, so I began working through the issue and I thought it my be Cert related, and I attempted a few fixes but to no avail. So after further troubleshooting it appears that the updates/registration requests are being denied by Sophos servers - If you'd like to review everything up to this point it's https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/98271/no-longer-updating---ssl-cert-not-trusted

 

So today since I was getting no response and no support I decided forget it, I'm going to just start from scratch and completely delete everything and start over, as I only have it on a few systems as I was testing going from Avast to Sophos for my home network. Well, I can't even do that the UTM won't delete all data and allow me to start over.

Here's a copy of the log from the UTM for Endpoint Protection.

 

2017:12:06-11:38:27 utm epsecd[44070]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2017:12:06-11:38:27 utm epsecd[44070]: W id="4205" severity="warn" sys="System" sub="epsecd" name="Computer needs to register in Confd" mcs_id="829566d7-4c8e-0c7a-f724-6349ba9e39a4"
2017:12:06-11:38:27 utm epsecd[44070]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2017:12:06-11:38:28 utm epsecd[44070]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2017:12:06-11:38:31 utm epsecd[44070]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2017:12:06-11:38:31 utm epsecd[44070]: I id="4222" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect"
2017:12:06-11:43:09 utm epsecd[44070]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2017:12:06-11:43:12 utm epsecd[44070]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Endpoint log collector started"
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="No private key available yet: /var/epsecd/resources/client.pem"
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="No certificate available yet: /var/epsecd/resources/client.crt"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: 2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com/.../"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Loaded download history file"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Download endpoint logs"
2017:12:06-11:45:49 utm epsecd[6498]: >=========================================================================
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="Listing [https://2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com//2099210c-e01b-3421-871a-c97d38074414/] failed with return code 6: Couldn't resolve host name Couldn't resolve host '2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com'
2017:12:06-11:45:49 utm epsecd[6498]: "
2017:12:06-11:45:50 utm epsecd[6492]: I id="4201" severity="info" sys="System" sub="epsecd" name="Epsecd starting"
2017:12:06-11:45:53 utm epsecd[6492]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Unable to get ip for sss1-e01b.broker.sophos.com: Resource temporarily unavailable"
2017:12:06-11:45:53 utm epsecd[6492]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Error creating socket. " syscall_error="Resource temporarily unavailable"
2017:12:06-11:45:53 utm epsecd[6492]: >=========================================================================
2017:12:06-11:45:53 utm epsecd[6492]: E id="4281" severity="crit" sys="System" sub="epsecd" name="Unexpected error: No internet connection. at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 148." effect="Can't talk to Sophos LiveConnect"
2017:12:06-11:45:53 utm epsecd[6492]:
2017:12:06-11:45:53 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:45:53 utm epsecd[6492]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:45:53 utm epsecd[6492]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:45:53 utm epsecd[6492]:  4. main::top-level:63() client.pl
2017:12:06-11:45:53 utm epsecd[6492]: <=========================================================================
2017:12:06-11:45:53 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 180 seconds"
2017:12:06-11:49:00 utm epsecd[6492]: >=========================================================================
2017:12:06-11:49:00 utm epsecd[6492]: E id="4286" severity="crit" sys="System" sub="epsecd" name="Unknown report data received from Sophos LiveConnect" data="$VAR1 = {
2017:12:06-11:49:00 utm epsecd[6492]:           'operation' => 'Unauthorized'
2017:12:06-11:49:00 utm epsecd[6492]:         };"
2017:12:06-11:49:00 utm epsecd[6492]:
2017:12:06-11:49:00 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:49:00 utm epsecd[6492]:  2. Epsec::Logic::Client::_receive_reports:447() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  3. Epsec::Logic::Client::_request:1261() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  4. Epsec::Logic::Client::_start:288() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  5. Epsec::Logic::Client::on_load:43() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  6. (eval):53() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:49:00 utm epsecd[6492]:  7. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:49:00 utm epsecd[6492]:  8. main::top-level:63() client.pl
2017:12:06-11:49:00 utm epsecd[6492]: <=========================================================================
2017:12:06-11:49:00 utm epsecd[6492]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-11:49:00 utm epsecd[6492]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-11:49:00 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"
2017:12:06-11:52:32 utm epsecd[6492]: I id="420X" severity="info" sys="System" sub="epsecd" name="Epsecd stoping"
2017:12:06-11:52:32 utm epsecd[6492]: I id="4231" severity="info" sys="System" sub="epsecd" name="Syncing SWC with web control global status "
2017:12:06-11:52:32 utm epsecd[6492]: I id="4234" severity="info" sys="System" sub="epsecd" name="Disabled Sophos Web Control sub-feature"
2017:12:06-11:52:32 utm epsecd[6492]: >=========================================================================
2017:12:06-11:52:32 utm epsecd[6492]: E id="4281" severity="crit" sys="System" sub="epsecd" name="Unexpected error: Can't use an undefined value as a symbol reference at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 1295." effect="Can't talk to Sophos LiveConnect"
2017:12:06-11:52:32 utm epsecd[6492]:
2017:12:06-11:52:32 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:52:32 utm epsecd[6492]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:52:32 utm epsecd[6492]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:52:32 utm epsecd[6492]:  4. main::top-level:63() client.pl
2017:12:06-11:52:32 utm epsecd[6492]: <=========================================================================
2017:12:06-11:52:32 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 180 seconds"
2017:12:06-11:55:16 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Endpoint log collector started"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: 2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com/.../"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Loaded download history file"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Download endpoint logs"
2017:12:06-11:55:17 utm epsecd[6365]: >=========================================================================
2017:12:06-11:55:17 utm epsecd[6365]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="Listing [https://2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com//2099210c-e01b-3421-871a-c97d38074414/] failed with return code 6: Couldn't resolve host name Couldn't resolve host '2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com'
2017:12:06-11:55:17 utm epsecd[6365]: "
2017:12:06-11:57:44 utm epsecd[8240]: I id="4201" severity="info" sys="System" sub="epsecd" name="Epsecd starting"
2017:12:06-11:57:50 utm epsecd[8240]: I id="4229" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy"
2017:12:06-11:57:50 utm epsecd[8240]: I id="4230" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Resources"
2017:12:06-11:57:54 utm epsecd[8240]: I id="4231" severity="info" sys="System" sub="epsecd" name="Syncing SWC with web control global status 1"
2017:12:06-12:08:28 utm epsecd[8240]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-12:08:28 utm epsecd[8240]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-12:08:28 utm epsecd[8240]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"
2017:12:06-12:13:30 utm epsecd[8240]: >=========================================================================
2017:12:06-12:13:30 utm epsecd[8240]: E id="4286" severity="crit" sys="System" sub="epsecd" name="Unknown report data received from Sophos LiveConnect" data="$VAR1 = {
2017:12:06-12:13:30 utm epsecd[8240]:           'operation' => 'Unauthorized'
2017:12:06-12:13:30 utm epsecd[8240]:         };"
2017:12:06-12:13:30 utm epsecd[8240]:
2017:12:06-12:13:30 utm epsecd[8240]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-12:13:30 utm epsecd[8240]:  2. Epsec::Logic::Client::_receive_reports:447() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  3. Epsec::Logic::Client::_request:1261() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  4. Epsec::Logic::Client::_start:288() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  5. Epsec::Logic::Client::_receive_reports:442() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  6. Epsec::Logic::Client::on_run:320() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  7. (eval):55() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-12:13:30 utm epsecd[8240]:  8. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-12:13:30 utm epsecd[8240]:  9. main::top-level:63() client.pl
2017:12:06-12:13:30 utm epsecd[8240]: <=========================================================================
2017:12:06-12:13:30 utm epsecd[8240]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-12:13:30 utm epsecd[8240]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-12:13:30 utm epsecd[8240]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"

  • Hey BC68

    I feel your pain right now. I'm adding my ball of troubles to this feed too, hoping Sophos Tech will take notice, as home users get fck all support.

    Enpoint is not updating either.... Updating from Sophos Location: http://dci.sophosupd.com/cloudupdate  - Returns a 404... wow Sophos

    My Post is here... Endpopint is not updating or connecting.

    Cheers

    Craig

  • In reply to vicegod:

    Yeah, can't put in a support ticket, and they don't seem to want to deal with us on the forums. Considering that IT Security is what I do for a living (and as a consultant deal with all big companies/medical industry), it doesn't really tend to make me want to recommend any of their products to our clients. Really sucks too as I honestly really like the UTM and because of it have made purchases of other Sophos products (like the AP 55)- hell I checked to see if I could BUY Endpoint licenses (you can't for the home licensed UTM) as well as I'd be willing to buy the Sandstorm license. Wish they'd have a better model for the home user instead of "Here's this free thing, but you can't really buy any add-on's or get support for it" - even a paid home user license would be great in order to get support and buy additional features.

  • In reply to BC68:

    Home UTM is the "nightbuild" - we are just the test environment :) From experience Sophos testing regiments on releases are a little substandard, especially when patching existing environments; but then they have us as testers so it is a win for Sophos. Yes Sophos could probably help their brand by providing more support, but the overhead would be dealing with the likes of you and I finding the bugs and then having to honour a support agreement.

    UTM is an enterprise solution that is free (although a little extreme and complicated for the "normal" home user), it does work, so we cant complain...

    I have two other machines in the home network with an older Endpoint install that are working just fine, but on an older token and not communicating with the current UTM.

    A couple of things I have tried (ideas from other posts):

    Placing the c:\Program Files (x86)\Sophos\AutoUpdate\ps_rootca.crt into Trusted - update failed

    I tried setting MTU on the local machine to match the ISP/router - update failed.

    I tried a naked net connection, bypassing UTM and internal network - update still failed.

    I honestly think the update location just doesnt exist or is not accessible under some undetermined login service.


     

    Is there any way to access this info or someplace it needs to be setup?


     

    Have you or anyone else tried a fresh UTM download and ISO install ?

     

    PS: Is it me or am I noticing a "christmas" time bugfest occuring every year?

  • In reply to vicegod:

    I'm pretty sure the file is C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg

    Which for me points me to http://d3.sophosupd.com/update/catalogue/sdds.utm_91_ug2.xml and that gives me a 404 error. So I'm guessing some'n is messed up on their side some place. I've seen references to it on other posts, and either it magically started working or they just went away.

    Looks like I might have to switch back to Avast, at least since I was paying for that I got "support" (ish). Was really wanting to integrate into the UTM for use when traveling to be able to use web control and not always VPN in first.

     

    *Edit* No I haven't tried a reinstall. I guess I could try to spin up another VM and try and then do a config restore, but I honestly don't think there is anything on our side that is broken.

  • In reply to BC68:

    Found my file under c:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg

    ConnectionAddress = sophos:d3.sophosupd.com/.../sdds.utm_91_ug2.xml

    Same request URL

    http://d3.sophosupd.com/update/catalogue/sdds.utm_91_ug2.xml

    Yep - kinda a no brainer methinks...


     

    Anyone able to provide a "working" URL?

  • In reply to vicegod:

    Pretty disappointed in no responses. Even if it's a "Hey yeah, it's a problem that'll be fixed in the next update some time some place" would give me more warm fuzzy's. But, I'm a needy guy apparently.

  • For Windows 7, use the following to completely delete an Endpoint install.

    @Echo Off
     net stop "Sophos AutoUpdate Service"
     net stop "Sophos Anti-Virus"
     net stop "Sophos Anti-Virus status reporter"
     net stop "Sophos Device Control Service"
     net stop "Sophos MCS Agent"
     net stop "Sophos MCS Client"
     net stop "Sophos Web Control Service"
     net stop "Sophos Web Intelligence Update"
     net stop "swi_service"
     net stop "swi_update_64"
    REM Sophos Management Communications system - DELETE for V11 - KEEP for V10 -
     MsiExec.exe /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos Management Communications system - DELETE for V10 - KEEP for V11 -
     MsiExec.exe /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179}
    REM Sophos Anti-Virus
     MsiExec.exe /X{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos AutoUpdate
     MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt

    There's a KnowledgeBase article if you have other Windows versions.

    Although you can't get support with a home-use license for UTM Endpoint, you can get a paid license on Sophos Central, the cloud-based solution.  There are different versions as well as an offering of Intercept X.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks, but unfortunately that's not relevant to the current issues as uninstalling from the endpoint isn't an issue.

    Also, the reason for changing from a paid version of Avast to Sophos is the UTM integration, otherwise I'd prefer to use dual AV's for increased protection (one at the network layer, one at the endpoint).

  • In reply to BC68:

    Sometimes, a re-install of Endpoint will fix this type of problem.  In your first post, you said that you were unable to completely uninstall Endpoint and it's not possible to re-install it correctly unless all traces of the initial install are gone.  There's a KB detailing how to do a partial integration of cloud-based Endpoint with UTM.

    Cheers - Bob

  • In reply to BAlfson:

    Sorry for the confusion, what I was saying was not that I couldn't remove it from the endpoint, I couldn't delete the data from the UTM - I could only disable it and keep data, not disable and delete data.

  • Bueller? Bueller? No help? Silence on the wire?