Sophos Enpoint Protection UTM Edition isn't updating any more

Hi all,

I found this thread with a workaround: https://community.sophos.com/products/unified-threat-management/f/endpoint-protection-antivirus-and-device-control/103716/could-not-contact-server

I tried the following on one of my affected endpoints:

1. Copy the warehouse folder from a working endpoint (the warehouse folder is found at C:\ProgramData\Sophos\AutoUpdate\data).
2. Paste the folder into the same location on one of the affected endpoints.
3. Force an update/run the install.
4. Check to see if the affected endpoint has now updated successfully.

On this machine the workaround helped. I have to try it on the other machines, too. And I want to wait until there's a new update and the agent is getting this update before I set this threat to solved.

Hello TheExpert,

more details should be in the ALUpdate log in %ProgramData%\Sophos\AutoUpdate\Logs\. Please see here on how to identify one update cycle if you need to post a snippet of the log (more than one cycle is redundant, less might make it hard to determine the actual problem).

Christian

Hello Christian,

sorry, there's no ALUpdate log file in the folder %ProgramData%\Sophos\AutoUpdate\Logs\.

The workaround I found seems to work. Actually there's no update but on all affected endpoints I could get the update running again without errors.

Hi all,

the issue is happening again and again. But now I don't have any clients which are getting new updates! The last working client I had did one successful update today and since then the update procedure shows the same error: "Meldung: FEHLER:   Endpoint Security and Control konnte nicht von Server Sophos heruntergeladen werden"

The workaround I found a few weeks ago (see above) doesn't help to solve this issue any more.

Does Sophos made changes to the update feature? Is Sophos Enpoint Protection UTM Edition still under support so that it will get updates? There are a lot of signs showing that Sophos isn't interested in suppporting this product any more. One sign is that there's still no new installation package which is compatible with Windows 10.

It's a shame how Sophos as a big IT security firm is keeping its products actual and working. The UTM is very good system but in the past months there are no regular updates any more and issues are not fixed for months!

Do you have any ideas how to get the endpoint protecton working regarding the updates? Or should I uninstall this software and switch to Microsoft Defender? Thank you.

Hi, 

I am not quite the fan of the UTM Endpoint because it is lacking some kind of extra protection layers like Intercept X. Maybe this is the perfect time to migrate your endpoint to Central? And to be honest, if you manage those clients on UTM Dashboard or central dashboard seems to be some kind of the same. 

You should be able to migrate everything properly into Central without any issue. And you dont have to touch your SG. It is only the Endpoint client which can be migrated to Central. 

Hi LuCar Toni,

thank you for your feedback. I forgot to mention that I'm using the Home Edition of the UTM and I like the central management of the Endpoint Protection. I don't need the extra features. But it would be nice if the provided features are working as they should. But there's no Information, when the updates don't work. In the past there was an icon in the taskbar showing issues but now the icon shows no issues and events with hints when moving over the Sophos icon. Actually the hint only shows that the update was running. I have to open the endpoint console to see that the update isn't working. And after a few days the Windows security center shows an issue. This isn't that kind of of monitoring I prefer.

Is Central free for home users? And is central solving my issues with the updates of Sophos Endpoint Protection? What's the root cause for not updating the endpoints any more?

Thank you.

The Central Home Version is called Sophos Home.

https://home.sophos.com/

It is free for Home Users and grant the same level of protection like Central Intercept X. 

Hi LuCar Toni,

thank you for this hint. I will have a look at this later.

But what's the reason for the Endpoint Protection to not updating any more? I see in the UTM that there's traffic to sophosupd.com. It's about 50 MB for yesterday from every single client systems. So it looks like the updates are downloading but they won't be installed. Is there an issue with false-positive error messages?

I do not know, because i simply do not cover those deep insight knowledge of endpoint. 

Maybe QC can help out? :)

Hello TheExpert,

sorry, for whatever reason I did not follow up in September. Haven't heard that AutoUpdate doesn't produce an ALUpdate log (don't think you searched for a log named just ALUpdate and disregarded those with names like ALUpdate20181112T111247.5573100.log). Or are there no files at all in \%ProgramData%\Sophos\AutoUpdate\Logs\?

As to the so-called workaround: Bot knowing the details of the issue I can just speculate why it seemingly helps. When checking for updates AutoUpdate compares the contents of the Warehouse (comparing catalogs of hashes) with those available from the download server. When the download of a certain new/changed file constantly fails and you update the Warehouse with a complete copy no download will be required at the next check and consequently AutoUpdate will report success. Eventually there might again be again an error - depending on whether the download doesn't work at all or just for one or a few files the update will fail within a day or after a longer interval (that could even be weeks). Rinse. Repeat.

Sophos isn't interested in supporting this product any more
I'm not Sophos so I can't make a dependable statement. It's AFAIK still supported but no longer actively developed. UTM Endpoint or rather its communication mechanism MCS is based on the cloud version (Central). Providing the newer versions (Windows 10 should be supported, BTW, can't say what the issue with the installer package could be) would mean that the Central Admin management features have to be backported to the UTM.

Christian