[8.960][BUG] Can't clear alert due to tamper protection override

I have tinkered with the override function of the tamper protection built into the Sophos Endpoint client... and in the past, I could click the Alert link on the UTM and clear the alert (acknowledging it, if you will)... now, for some reason, this is not an option.  Please see the attached screenshot.
  • Hi BrucekConvergent,

    I have tinkered with the override function of the tamper protection built into the Sophos Endpoint client


    Inded this doesn't look normal. So what exactly did you tinker with that brought your UTM into this state?
    Maybe you can provide either the /var/log/epsecd.log or the /var/log/endpoint.log related to that time.

    Cheers,
    Cristof
  • By "tinker" I mean bothered to install it... I didn't modify it until later (see my thread regarding the proxy issue).  If you want access into our test VM, let me know and I'll set it up for you via PM.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi BrucekConvergent,

    If you want access into our test VM, let me know and I'll set it up for you via PM.


    I'd really appreciate that. But though I'd like you to provide me with more information on what actions you commited.

    Cheers,
    Cristof
  • Sure..

    1)  Deployed the client
    2)  Configured an easier to remember tamper bypass password at the UTM (for testing purposes)
    2)  Opened up the client, disabled tamper protection using the new password.
    3)  Made some insignificant change to local policy (I believe it was the "send sample" setting"
    4) waited to see if the UTM policy would override that change (and it did [:)] )
    5) Clear alert in UTM, repeated #2 thru #4 a couple of times
    5) Noted that the issue arose the last time.

    Logfile entries -- the 2 or 3 times I disabled tamper protection at the endpoint, the logs look similar to this:

    2012:05:25-11:45:01 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4207" severity="debug" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2012:05:25-11:45:01 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4230" severity="debug" sys="System" sub="epsecd" name="Updated ping information in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:45:01 test-utm epsecd[5039]: I Epsec::Utils::Logging::_log:59() => id="4231" severity="info" sys="System" sub="epsecd" name="Handled SAV event" event_type="SAV" effect="User 'MYDOMAIN\MYUSER' has been successfully authenticated." action="unknownAction" type="tamperProtection" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524" cause="event"
    2012:05:25-11:45:01 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4211" severity="debug" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="332336,332810"
    2012:05:25-11:45:37 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4207" severity="debug" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2012:05:25-11:45:37 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4230" severity="debug" sys="System" sub="epsecd" name="Updated ping information in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:45:37 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4228" severity="debug" sys="System" sub="epsecd" name="Updated AGENT info in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:45:37 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4211" severity="debug" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="332336,332812,332813"
    2012:05:25-11:46:13 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4207" severity="debug" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2012:05:25-11:46:13 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4230" severity="debug" sys="System" sub="epsecd" name="Updated ping information in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:46:13 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4228" severity="debug" sys="System" sub="epsecd" name="Updated AGENT info in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:46:13 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4211" severity="debug" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="332336,332815,332816"
    2012:05:25-11:46:49 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4207" severity="debug" sys="System" sub="epsecd" name="Recieved report(s) from Sophos LiveConnect"
    2012:05:25-11:46:49 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4230" severity="debug" sys="System" sub="epsecd" name="Updated ping information in the DB" mcs_id="8122c811-aad5-45fb-70b0-3c384247b524"
    2012:05:25-11:46:49 test-utm epsecd[5039]: D Epsec::Utils::Logging::_log:59() => id="4211" severity="debug" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="332336"

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Morning BrucekConvergent,

    thanks for the detailed report.
    But even though I can't see a strange behaviour by the output of the /var/log/epsecd.log. Can you please make sure, the /var/log/endpoint.log is attached, too?

    Cheers,
    Cristof
  • Well... I'm going to have to see if I can make it happen again... was testing a new SAN product here, and migrated the test utm instance in question, when something went awry... so I had to reinstall and restore the config from backup, which cleared the issue (I suppose that losing that DB had something to do with it [:)] )... I'll try to make it fail again and post the requested info back here.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Well, that didn't take long [:)]   -- but I think I may have some more info this time around.

    I just went into the endpoint, entered my password to get by the tamper protection, and enabled "send file sample"... waited a minute, and the UTM showed the alert, and the same thing occurs when I click on the Alert link, no way to clear it, options are OK and Cancel.

    I just hit Cancel (I've been hitting OK)... then went back to it, now it shows the "Resolve All" option.  Clicking that clears it.

    Reproduced it again (same method)... click the Alert Link, and Click OK... then go back, and still no Resolve All option... I believe, at this point, we're looking at a GUI or simple DB issue... I'd wager that you could reproduce this on your end.  I'm using Vista with Firefox 12.0, all latest patches. --- Hmm... get different results in IE9 ... may be a firefox issue... try again with IE9 -- ahhh... interesting... if I give it a minute are so after the initial alert is thrown, then I get a non-compliant alert, which I can resolve... this doesn't happen on Firefox 12.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Thanks for reporting. We are now tracking this as Mantis ID #21650
  • The Mantis ID #21650 is now being worked on. We are planning to release a fix for this issue in Version 8.970.