Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 38 replies
  • Subscribers 12 subscribers
  • Views 99463 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.4 Endpoint Web Protection is NOT working

RickDunsirn

I've noticed that after a clean install of 9.4, Endpoint Web Protection logs are not populating on my UTM and my endpoints (Windows 10) appear to be able to surf anywhere without any protection.  The Sophos Agent shows Web Control enabled, but it is not blocking sites that it's supposed to.  I'll reiterate, I have cleanly installed 9.400-9 and have refreshed from scratch the Endpoint Protection and I'm still seeing the issue (this was not an upgrade...after the upgrade, this failed as well, so I did everything from scratch and still see the issue).  My endpoints are showing up just fine under Endpoint Protection on the gateway and the antivirus appears to be working, just not the web protection.  Here is a sample of the Endpoint Protection Logs:

2016:03:25-10:11:27 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:11:27 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:13:15 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:13:15 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:15:03 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:15:03 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:17:46 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:17:46 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:19:04 rickshome epsecd[10796]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/.../"
2016:03:25-10:19:34 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:19:34 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:19:35 rickshome epsecd[10282]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2016:03:25-10:19:38 rickshome epsecd[10282]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2016:03:25-10:22:21 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:22:21 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:23:16 rickshome epsecd[10282]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2016:03:25-10:23:19 rickshome epsecd[10282]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2016:03:25-10:24:12 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:24:12 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"

I do see the reports coming in, but I'm a little bit concerned on the "-1" for acknowledgement.

Any ideas on what I can do next?  If you need more information, please let me know!


This thread was automatically locked due to age.
Parents
  • 0

    You mentioned Windows 10 clients are having the issue... Do you have any older versions of Windows and are they behaving properly?

    Also, did you have any issues prior to moving to 9.4? It's hard to tell if this related to Win10 or UTM 9.4.

  • 0 in reply to Dlabun

    This very well could be.  I do know it worked on Windows 10 at one time (have several clients on Windows 10 and it worked fine on multiple versions of 9.3 from September, 2015 -- February, 2016)...but stopped working back in February on version 9.355.  I am doing more testing and have found the following:

    1.)  I have one Windows 10 box that was working and I have never "uninstalled" the client agent.  I have installed OVER the client agent when I installed the new 9.4 from scratch.  The directory structure on that box under C:\ProgramData\Sophos\Web Control\Policy shows that there is a policy there (there are files in that directory), but it doesn't appear to be updating when I make changes to the web content filter.   No Web Control logs are getting to Sophos, however.

    2.)  I have another Windows 10 box that is brand new.  I installed the 9.4 client agent on that box from scratch.  The directory structure under C:\ProgramData\Sophos\Web Control\Policy shows nothing.  It's almost like the policy can't get into the directory or it isn't updating for some reason?

    I will try to spin up a Windows 7 box and see if I have the same issues.  I do know the Sophos Endpoint Cloud works fine on Windows 10 (tried and installed this and it worked just great), just not the endpoint web control service using the UTM.

    Another thing I have found... I just downgraded my UTM to 9.351 and I still am experiencing the same issues!  Either something changed in Windows 10 that is blocking endpoint web control policy changes or something changed on the Sophos server side and how it communicates with the agent.

    I'll continue to research!

  • 0 in reply to RickDunsirn

    This is a snippet of the logs I'm getting with the registry key value set to "3" for loglevel.  This seems to repeat over and over.  If there is a better way to show this (or attach it), please let me know!  I do see a failure to register, but again, this is a brand new install on a brand new system with a brand new UTM installation.

    v 16040814384024 swi_service.exe:004108:0009c4 validating index data f702de4d9f8106dde79bf7cb1a2c053dd170525c with signature 456e37b1b3366da33734b7cea06ed3a6abb551b4 [WebControlSync.cpp:313 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814384024 swi_service.exe:004108:0009c4 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=32121f191aa858f85633a20bf157c4ddc0efd381) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16040814384024 swi_service.exe:004108:0009c4 [Sophos::PublicKey 3c 40 57 81 a0 ea f5 b9 9b eb 61 f8 66 27 ff 78 91 04 12 87].validate(f702de4d9f8106dde79bf7cb1a2c053dd170525c, signature=456e37b1b3366da33734b7cea06ed3a6abb551b4 [SophosPublicKey.cpp:352 Sophos::PublicKey::validate]
    v 16040814384024 swi_service.exe:004108:0009c4 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=32121f191aa858f85633a20bf157c4ddc0efd381) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16040814384024 swi_service.exe:004108:0009c4 Failed to validate index signature using server key [Sophos::PublicKey 3c 40 57 81 a0 ea f5 b9 9b eb 61 f8 66 27 ff 78 91 04 12 87]. Does the endpoint need to re-register? [WebControlCrypto.cpp:301 reginfo::reginfo]
    e 16040814384024 swi_service.exe:004108:0009c4 Policy: invalid index err:0 [WebControlSync.cpp:1083 WebControlSync::handlePolicyResponse]
    v 16040814384024 swi_service.exe:004108:0009c4 sync failure on primary server: attempting fallback... [WebControlSync.cpp:895 WebControlSync::startFallback]
    v 16040814384024 swi_service.exe:004108:0009c4 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=32121f191aa858f85633a20bf157c4ddc0efd381) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16040814384024 swi_service.exe:004108:0009c4 fallback URL:e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/ [WebControlSync.cpp:493 WebControlSync::makeUrl]
    v 16040814384024 swi_service.exe:004108:0009c4 Signing X-Sophos-Filter header contents: e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/wdx/policy/index.txt [WebControlSync.cpp:513 WebControlSync::signedFilterHeader]
    v 16040814384024 swi_service.exe:004108:0009c4 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=32121f191aa858f85633a20bf157c4ddc0efd381) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16040814384024 swi_service.exe:004108:0009c4 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16040814384024 swi_service.exe:004108:0009c4 [SymmetricKey 3b 15 7d 59 3c 1e e2 65 25 ff 69 11 1e 9d 66 f9 1a e7 a2 bc].sign(sha1=dd2294ecea9a85a7f9a2d75640c9933ea515e7b1) [SophosSymmetricKey.cpp:251 Sophos::SymmetricKey::sign]
    v 16040814384024 swi_service.exe:004108:0009c4 signature sha1=3bdb711e168957d1e07f5eecf67e34176263aa4a [SophosSymmetricKey.cpp:174 Sophos::SymmetricKey::impl::sign]
    v 16040814384024 swi_service.exe:004108:0009c4 Signed WDX header: X-Sophos-Filter: 566b1ba59834da6e4d8ad204efe44d8e7e10a873 [e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/wdx/policy/index.txt] [WebControlSync.cpp:543 WebControlSync::signWdxRequestHeaders]
    v 16040814384024 swi_service.exe:004108:0009c4 [PROXY:DIRECT] Policy: GET e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/.../index.txt [WebControlSync.cpp:640 WebControlSync::startPolicy]
    v 16040814384024 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814384025 swi_service.exe:004108:00034c 20160408 143840.259 T0000034c ------ 4 - sxl3_process_timeouts(), request (id=4051) got cleaned up\n [oem-log.cpp:29 oem_log]
    I 16040814384029 swi_service.exe:004108:000f48 20160408 143840.290 T00000f48 ------ 3 - Processing request=172\n [oem-log.cpp:29 oem_log]
    I 16040814384029 swi_service.exe:004108:000f48 20160408 143840.290 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814384029 swi_service.exe:004108:0008e4 20160408 143840.290 T000008e4 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385645 swi_service.exe:004108:0009c4 Policy response: event=3; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385645 swi_service.exe:004108:0009c4 Policy: got 1536 bytes (MORE coming) [WebControlSync.cpp:1069 WebControlSync::handlePolicyResponse]
    v 16040814385645 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814385645 swi_service.exe:004108:000f48 20160408 143856.458 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814385645 swi_service.exe:004108:000ac4 20160408 143856.458 T00000ac4 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385652 swi_service.exe:004108:0009c4 Policy response: event=3; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385652 swi_service.exe:004108:0009c4 Policy: got 1536 bytes (MORE coming) [WebControlSync.cpp:1069 WebControlSync::handlePolicyResponse]
    v 16040814385652 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814385652 swi_service.exe:004108:000f48 20160408 143856.520 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814385652 swi_service.exe:004108:001290 20160408 143856.520 T00001290 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385655 swi_service.exe:004108:0009c4 Policy response: event=3; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385655 swi_service.exe:004108:0009c4 Policy: got 1536 bytes (MORE coming) [WebControlSync.cpp:1069 WebControlSync::handlePolicyResponse]
    v 16040814385655 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814385658 swi_service.exe:004108:000f48 20160408 143856.583 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814385658 swi_service.exe:004108:000268 20160408 143856.583 T00000268 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385658 swi_service.exe:004108:0009c4 Policy response: event=3; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385658 swi_service.exe:004108:0009c4 Policy: got 1536 bytes (MORE coming) [WebControlSync.cpp:1069 WebControlSync::handlePolicyResponse]
    v 16040814385658 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814385664 swi_service.exe:004108:000f48 20160408 143856.645 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814385664 swi_service.exe:004108:000f30 20160408 143856.645 T00000f30 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385669 swi_service.exe:004108:0009c4 Policy response: event=3; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385669 swi_service.exe:004108:0009c4 Policy: got 1536 bytes (MORE coming) [WebControlSync.cpp:1069 WebControlSync::handlePolicyResponse]
    v 16040814385669 swi_service.exe:004108:0009c4 Resetting failure count and fallback timer. [WebControlSync.cpp:829 WebControlSync::httpEventCallback]
    I 16040814385669 swi_service.exe:004108:000f48 20160408 143856.692 T00000f48 ------ 3 - Queueing request 172\n [oem-log.cpp:29 oem_log]
    I 16040814385669 swi_service.exe:004108:001014 20160408 143856.692 T00001014 ------ 3 - Processing request=172, 00AE92B0\n [oem-log.cpp:29 oem_log]
    v 16040814385678 swi_service.exe:004108:0009c4 Policy response: event=4; status=200 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    v 16040814385678 swi_service.exe:004108:0009c4 parsing index file with sha1 checksum: 076c50fccafedc196ca4668ed67f1e062414a57c [WebControlSync.cpp:300 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4 index without signature: version 1\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^fragment 5432 a47365055413f5c02917c898ddad1b7ff99805e0\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^fragment 2872 8d0de0b9da4aada591492f0e001c3a02acc4c5a9\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^fragment 1768 7613757c39af5003b60f78ba60f22a21da3bc062\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^fragment 5480 00b7b24969a2cc7d7142f8fb09eecceb46648114\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^fragment 88 5910cb604ca198b708e526d1dde410d509db7092\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^magic 8466 4915373adbd1c29a6464f2d1e5f09f5d59ca64e8\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 248 4e9558c69ab540791e3dc66c2fd747af9a2b298d footer_center.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1864 6ea4e86b6048812f2fdbcf9988b2dcb0282710f7 spinner.gif\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 456 27aaee7c1ccd0e2da2c0e257e34192dfcddc74b3 dir.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 2040 d07d686087df977f0705a920608fcd4027db7f39 quotaing.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 440 6cb6af086eced30399365c7beb8148ed6cf839be topbar_left.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 33544 a8b8ae3a1e73215e99ac16846bf8ed203a7a86f3 progress_bar.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 72 7ef72cbb0804e633262e6aae780ef0b7c50dd266 spacer.gif\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 264 e7e7f3842711e8090cf0e28267578048b2734813 fieldset_left.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 328 488e34cababa0043905f3eee14b4a3a7a560cdb1 button_left.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 4232 c28006ac05b54f50a55d4bda943b290e9a634e42 background.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 264 54c0b33446d6c036bcb66da0620946f91adb2b3b fieldset_right.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1416 515cd803c8a7ad3e433a4e05f7e9450bd3544c0e logo.gif\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 248 e9118ebd1aa78f4149d1b2d843cb05afc6b4bdc1 button_center.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1048 15d470edd84d4b27e396f209df4c98384108c309 download.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 2072 6aa58b17f17ae89ddbbae28ba7ab9ffdc9c1a67b footer_left.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 408 95563204de3cfb130ba074ffe6e9932a188278eb topbar_right.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 4216 913419ff5e6656bc9fae0bfa4638f3b93e02078c logo.jpg\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 4216 913419ff5e6656bc9fae0bfa4638f3b93e02078c astaro-logo.jpg\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 104 2d753ff7186c4905fde674da6a753a3d194e74fb blank1x1.gif\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1656 e437c16cf10ba865326ab560a7d637991980d4db logo.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 984 baf29225866bda97620c5e091e5ed0ef6e03a11e login_button.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1240 8f203b5681598ceed3095a01cec50478b4fb7398 warning2.gif\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 312 5b6cae7707c73055dece97e64e6749e87ecde8e1 button_right.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 536 579b9fcde14834782983202e76ba19242bbdcadf up.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 536 ad0b2d9ca79bd12eec57591e70058f387470a580 file.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 248 19e7abcc234a9d4700b1bd35291fb3de1e2ecac8 topbar.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 600 813e102befb4fba4cda4096e765f4f87bb3f6625 symlink.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 344 0297b0e44d2904461453343c57ac412c90ee82fb footer_right.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 1080 0eee6251dac76988fdffabb4b35001142522fe86 warning.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^swa_image 312 8e22b5820db79a9098a72c9547a8a9eab83eeb4b fieldset_center.png\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^sxlconfig 88 3e0fa0e0e9af0a1a7ca77f8491a5fc6507eb9ab1\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 30da0d9a70609b4b08e905876c46e7b510acbeeb filetype_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3912 24159b792f9a1324781ea5e2a563778f9491fec9 filetypewarn_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 5c9eb307310e79b4525535709a945c53c8b5cca1 malware_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 fa882ee16ef912f563e2902b820bc497118c3fcd blocklist_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3672 e4575cb5119fa2841637a8fecc2ecbb90063a335 policy_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3896 72bdeaf501e7b899310d6afa8ef48019b4f04ae9 warn_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3656 a1bdb86ff2f56f821f7fba251fbf54f548cb6981 service_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3640 4697aed8417610fe84a5e5e87f99b9589cfb4916 urlblacklist_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_cn.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_de.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_en.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_es.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_fr.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_it.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_ja.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]
    v 16040814385678 swi_service.exe:004108:0009c4^template 3864 bb5955006d5db27d72187373921ce875c61404d4 urlblacklistwarn_tw.html\r\n [WebControlSync.cpp:309 WebControlSync::verifyAndStripSignatureFromIndexFile]

  • 0 in reply to RickDunsirn

    Maybe, have the problem in the Sophos Agent ...

  • 0 in reply to RickDunsirn

    Based on the log lines:

    v 16040814384024 swi_service.exe:004108:0009c4 Failed to validate index signature using server key [Sophos::PublicKey 3c 40 57 81 a0 ea f5 b9 9b eb 61 f8 66 27 ff 78 91 04 12 87]. Does the endpoint need to re-register? [WebControlCrypto.cpp:301 reginfo::reginfo]
    e 16040814384024 swi_service.exe:004108:0009c4 Policy: invalid index err:0 

    It would suggest that the endpoint is downloading (in your case) the following index file:
    http://e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/wdx/policy/index.txt 

    It is then attempting to validate the signature and not being able to.  As a result the index file is deemed to be invalid so it will not progress to downloading the policy fragments.

    I can only think that either:

    1. The file is being corrupted on download by swi_service.exe.

    2. The endpoint is getting unexpected signature data.

    As the index file contains hashes of the policy fragments, an update to the policy would generate a new index file so that might be worth while.

    I've taken a quick look on a UTM at: 

    /var/epsecd/etc/eplog.conf

    and I see:

    private_key = /var/epsecd/resources/client.pem
    certificate = /var/epsecd/resources/client.crt
    ca_certificate = /var/epsecd/resources/aws.ca.crt
    sc_ini = /var/chroot-http/etc/sc.ini

    so under: /var/epsecd/resources/ we see:

    aws.ca.crt  client.crt  client.pem  postgresql  templates

    Note: Adding customer resources via the web interface (Management - Customisation - Web Templates /images) go to:

    /var/epsecd/resources/templates/[xxxxxxxxxx]/static/custom/

    So these would also be part of the index. For example with a custom file the index would have at the top of the fragment list:

    version 1

    custom_image 85864 cad136604af290b9fd9682f4139e7d87a4eb49e9 Sophos-icon.png

    where Sophos-icon.png is a custom file, the size and checksum are also listed.

    I wonder if cross referencing the endpoint trace logs with the info in the above certificates and the files on the endpoints under: "C:\ProgramData\Sophos\Web Control\Keys\" the problem could be understood.

    Failing which maybe try adding a custom resource to force a new index, then check your index file by just downloading it in a browser by adding /wdx/policy/index.txt to URL based on your appliance ID.  This can be found in the endpoint registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\Web Control\PolicyURL. Finally restart the Sophos Web intelligence service on a client to force a new sync.

    Regards,

    Jak

  • 0 in reply to Dlabun

    Communication within Spohos has been a big problem as of late.  I had to threaten termination of all of my current sales leads and refusal to renew and move to another product to get a response.  Sophos is the victim of too many acquisitions too quickly and it is now showing.  Hopefully they will get their internal issues straightened out very soon.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to VladimirChalnik

    That is a highly loaded question.  I am running 9.4 on my test system but my clients are running 9.35x

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    Yes it has been pretty bad lately... I'm using a national US reseller and they're having a hell of a time getting answers. 

  • 0 in reply to William Warren

    I also installed 9.4 on my test system, everything works well, except for Agent...

  • 0 in reply to VladimirChalnik

    Huh... looks like it's working again -- at least in our case.  Just looked at a laptop and the log data is there (in the UTM) as well as reporting, and blocking stuff as it is supposed to.  Must've fixed something in the back end.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to VladimirChalnik

    Huh... looks like it's working again -- at least in our case.  Just looked at a laptop and the log data is there (in the UTM) as well as reporting, and blocking stuff as it is supposed to.  Must've fixed something in the back end.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent

    I've completely turned off Endpoint Protection and restarted it and erased all the data.  I've installed the agent on the endpoint again and turned on the logging in the registry in order to get the swisdiag log files.  The results are below:

     

    I 16041215155742 swi_service.exe:002244:001310 20160412 151557.423 T00001310 ------ 3 - Processing request=196\n [oem-log.cpp:29 oem_log]
    I 16041215155742 swi_service.exe:002244:001310 20160412 151557.423 T00001310 ------ 3 - Queueing request 196\n [oem-log.cpp:29 oem_log]
    I 16041215155742 swi_service.exe:002244:000e78 20160412 151557.423 T00000e78 ------ 3 - Processing request=196, 00F328B0\n [oem-log.cpp:29 oem_log]
    A 16041215155792 swi_service.exe:002244:000e78 20160412 151557.922 T00000e78 ------ 2 - Send request (WinHttpReceiveResponse) error 12152: The server returned an invalid or unrecognized response\n [oem-log.cpp:25 oem_log]
    v 16041215155792 swi_service.exe:002244:001028 Policy response: event=1; status=0 [WebControlSync.cpp:1058 WebControlSync::handlePolicyResponse]
    e 16041215155792 swi_service.exe:002244:001028 Policy: failure downloading index.txt: status=0 err:0 [WebControlSync.cpp:1062 WebControlSync::handlePolicyResponse]
    v 16041215155792 swi_service.exe:002244:001028 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=e6b05cd675e63188482dc80736b6a49ad8846657) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16041215155792 swi_service.exe:002244:001028 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16041215155792 swi_service.exe:002244:001028 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16041215155792 swi_service.exe:002244:001028 fallback URL:e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/ [WebControlSync.cpp:493 WebControlSync::makeUrl]
    v 16041215155792 swi_service.exe:002244:001028 Signing X-Sophos-Filter header contents: e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/wdx/policy/index.txt [WebControlSync.cpp:513 WebControlSync::signedFilterHeader]
    v 16041215155792 swi_service.exe:002244:001028 [SymmetricKey d6 77 2f 3f 42 a7 50 d1 8f a3 d5 d5 7a 32 ea 46 ec be d9 69].decrypt(sha1=e6b05cd675e63188482dc80736b6a49ad8846657) [SophosSymmetricKey.cpp:244 Sophos::SymmetricKey::decrypt]
    v 16041215155792 swi_service.exe:002244:001028 decrypted sha1=af006394ac52ffb2e15e3aef5418c254535825fe [SophosSymmetricKey.cpp:156 Sophos::SymmetricKey::impl::decrypt]
    v 16041215155792 swi_service.exe:002244:001028 Successfully decrypted keyinfo.dat from disk [WebControlCrypto.cpp:301 reginfo::reginfo]
    v 16041215155792 swi_service.exe:002244:001028 [SymmetricKey 3b 15 7d 59 3c 1e e2 65 25 ff 69 11 1e 9d 66 f9 1a e7 a2 bc].sign(sha1=dd2294ecea9a85a7f9a2d75640c9933ea515e7b1) [SophosSymmetricKey.cpp:251 Sophos::SymmetricKey::sign]
    v 16041215155792 swi_service.exe:002244:001028 signature sha1=3bdb711e168957d1e07f5eecf67e34176263aa4a [SophosSymmetricKey.cpp:174 Sophos::SymmetricKey::impl::sign]
    v 16041215155792 swi_service.exe:002244:001028 Signed WDX header: X-Sophos-Filter: 566b1ba59834da6e4d8ad204efe44d8e7e10a873 [e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/wdx/policy/index.txt] [WebControlSync.cpp:543 WebControlSync::signWdxRequestHeaders]
    v 16041215155792 swi_service.exe:002244:001028 [PROXY:AUTODETECT FORCE] Policy: GET e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/.../index.txt [WebControlSync.cpp:640 WebControlSync::startPolicy]
    v 16041215155792 swi_service.exe:002244:001028 NOT resetting failure count -- intermediate proxy failure [WebControlSync.cpp:825 WebControlSync::httpEventCallback]
    I 16041215155792 swi_service.exe:002244:001310 20160412 151557.922 T00001310 ------ 3 - Processing request=195\n [oem-log.cpp:29 oem_log]
    I 16041215155798 swi_service.exe:002244:001310 20160412 151557.984 T00001310 ------ 3 - Queueing request 195\n [oem-log.cpp:29 oem_log]
    I 16041215155798 swi_service.exe:002244:0001f4 20160412 151557.984 T000001f4 ------ 3 - Processing request=195, 00F32270\n [oem-log.cpp:29 oem_log]
    A 16041215155865 swi_service.exe:002244:0001f4 20160412 151558.655 T000001f4 ------ 2 - Send request (WinHttpReceiveResponse) error 12152: The server returned an invalid or unrecognized response\n [oem-log.cpp:25 oem_log]

    It appears I am unable to download the index.txt file from Sophos, but I can't figure out as to why (or if it's an issue on my end or there end).  I am still not seeing any data and my web protection still does not work on 9.4.

Unfiltered HTML