This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enpoint Protection UTM Edition isn't updating any more

Hi all,

since 31.08.2018 I don't get updates for Sophos Endpoint Protection any more. The update log shows the following errors:

Zeit: 28.09.2018 06:50:36
Meldung: AutoUpdate abgeschlossen
Modul: SophosUpdate
Prozess-ID: 11336
Thread-ID: 7384

Zeit: 28.09.2018 06:50:36
Meldung: Download-Phase abgeschlossen
Modul: Update
Prozess-ID: 11336
Thread-ID: 7384

Zeit: 28.09.2018 06:50:36
Meldung: FEHLER:   Endpoint Security and Control konnte nicht von Server Sophos heruntergeladen werden
Modul: Update
Prozess-ID: 11336
Thread-ID: 7384

Zeit: 28.09.2018 06:30:53
Meldung: Download von Produkt Endpoint Security and Control vom Server Sophos
Modul: Update
Prozess-ID: 11336
Thread-ID: 7384

Zeit: 28.09.2018 01:30:16
Meldung: ***************          Sophos AutoUpdate gestartet          ***************
Modul: SophosUpdate
Prozess-ID: 11336
Thread-ID: 7384

This issue is happening on 5 of 8 running systems. The agents are connected properly to the UTM. The license is valid until July 2020 and there 10 of 12 agents installed.

How can I solve this issue?



This thread was automatically locked due to age.
Parents
  • Hello TheExpert,

    more details should be in the ALUpdate log in %ProgramData%\Sophos\AutoUpdate\Logs\. Please see here on how to identify one update cycle if you need to post a snippet of the log (more than one cycle is redundant, less might make it hard to determine the actual problem).

    Christian

  • Hello Christian,

    sorry, there's no ALUpdate log file in the folder %ProgramData%\Sophos\AutoUpdate\Logs\.

    The workaround I found seems to work. Actually there's no update but on all affected endpoints I could get the update running again without errors.

    Kind Regards

    TheExpert

  • Hi all,

    the issue is happening again and again. But now I don't have any clients which are getting new updates! The last working client I had did one successful update today and since then the update procedure shows the same error: "Meldung: FEHLER:   Endpoint Security and Control konnte nicht von Server Sophos heruntergeladen werden"

    The workaround I found a few weeks ago (see above) doesn't help to solve this issue any more.

    Does Sophos made changes to the update feature? Is Sophos Enpoint Protection UTM Edition still under support so that it will get updates? There are a lot of signs showing that Sophos isn't interested in suppporting this product any more. One sign is that there's still no new installation package which is compatible with Windows 10.

    It's a shame how Sophos as a big IT security firm is keeping its products actual and working. The UTM is very good system but in the past months there are no regular updates any more and issues are not fixed for months!

    Do you have any ideas how to get the endpoint protecton working regarding the updates? Or should I uninstall this software and switch to Microsoft Defender? Thank you.

    Kind Regards

    TheExpert

  • Hi, 

    I am not quite the fan of the UTM Endpoint because it is lacking some kind of extra protection layers like Intercept X. Maybe this is the perfect time to migrate your endpoint to Central? And to be honest, if you manage those clients on UTM Dashboard or central dashboard seems to be some kind of the same. 

    You should be able to migrate everything properly into Central without any issue. And you dont have to touch your SG. It is only the Endpoint client which can be migrated to Central. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    thank you for your feedback. I forgot to mention that I'm using the Home Edition of the UTM and I like the central management of the Endpoint Protection. I don't need the extra features. But it would be nice if the provided features are working as they should. But there's no Information, when the updates don't work. In the past there was an icon in the taskbar showing issues but now the icon shows no issues and events with hints when moving over the Sophos icon. Actually the hint only shows that the update was running. I have to open the endpoint console to see that the update isn't working. And after a few days the Windows security center shows an issue. This isn't that kind of of monitoring I prefer.

    Is Central free for home users? And is central solving my issues with the updates of Sophos Endpoint Protection? What's the root cause for not updating the endpoints any more?

    Thank you.

    Kind Regards

    TheExpert

  • The Central Home Version is called Sophos Home.

    https://home.sophos.com/

    It is free for Home Users and grant the same level of protection like Central Intercept X. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    thank you for this hint. I will have a look at this later.

    But what's the reason for the Endpoint Protection to not updating any more? I see in the UTM that there's traffic to sophosupd.com. It's about 50 MB for yesterday from every single client systems. So it looks like the updates are downloading but they won't be installed. Is there an issue with false-positive error messages?

    Kind Regards

    TheExpert

  • I do not know, because i simply do not cover those deep insight knowledge of endpoint. 

    Maybe  can help out? :)

    __________________________________________________________________________________________________________________

  • Hello TheExpert,

    sorry, for whatever reason I did not follow up in September. Haven't heard that AutoUpdate doesn't produce an ALUpdate log (don't think you searched for a log named just ALUpdate and disregarded those with names like ALUpdate20181112T111247.5573100.log). Or are there no files at all in \%ProgramData%\Sophos\AutoUpdate\Logs\?

    As to the so-called workaround: Bot knowing the details of the issue I can just speculate why it seemingly helps. When checking for updates AutoUpdate compares the contents of the Warehouse (comparing catalogs of hashes) with those available from the download server. When the download of a certain new/changed file constantly fails and you update the Warehouse with a complete copy no download will be required at the next check and consequently AutoUpdate will report success. Eventually there might again be again an error - depending on whether the download doesn't work at all or just for one or a few files the update will fail within a day or after a longer interval (that could even be weeks). Rinse. Repeat.

    Sophos isn't interested in supporting this product any more
    I'm not Sophos so I can't make a dependable statement. It's AFAIK still supported but no longer actively developed. UTM Endpoint or rather its communication mechanism MCS is based on the cloud version (Central). Providing the newer versions (Windows 10 should be supported, BTW, can't say what the issue with the installer package could be) would mean that the Central Admin management features have to be backported to the UTM.

    Christian

  • Hello QC,

    it's really strange: Yesterday I updated my ESX Hosts and so I had to failover my Sophos UTM HA cluster and to reboot the two UTM nodes one after another. And since the HA cluster is running in full HA mode again the update of Sophos Endpoint Protection is working again. And the Windows Security Center Icon shows that everything is OK now. But before the reboot I had no network issues or something like that. So I don't have an idea what's changed by the reboot of the UTM nodes.

    Another result of the reboot is that the SIP proxy feature isn't working as it did in the past. I deactivated the SIP Proxy of the UTM and configured dedicated firewall rules for the SIP and RTP communication between my VoIP devices. Now, the VoIP devices can communicate to each other again. But that's another story...

    Kind Regards

    TheExpert

Reply
  • Hello QC,

    it's really strange: Yesterday I updated my ESX Hosts and so I had to failover my Sophos UTM HA cluster and to reboot the two UTM nodes one after another. And since the HA cluster is running in full HA mode again the update of Sophos Endpoint Protection is working again. And the Windows Security Center Icon shows that everything is OK now. But before the reboot I had no network issues or something like that. So I don't have an idea what's changed by the reboot of the UTM nodes.

    Another result of the reboot is that the SIP proxy feature isn't working as it did in the past. I deactivated the SIP Proxy of the UTM and configured dedicated firewall rules for the SIP and RTP communication between my VoIP devices. Now, the VoIP devices can communicate to each other again. But that's another story...

    Kind Regards

    TheExpert

Children
  • Hi all,

    the update of Sophos Enpoint Protection UTM Edition seems to work but I'm not sure if it's getting actual pattern files. Windows Security Center shows an error regarding Sophos AV. The update log looks OK but for a long time I only sse the following:

    Zeit: 22.11.2018 20:43:50
    Meldung: AutoUpdate abgeschlossen
    Modul: SophosUpdate
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:50
    Meldung: Installations-Phase abgeschlossen
    Modul: Install
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:50
    Meldung: Installation von savxp übersprungen
    Modul: Install
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:50
    Meldung: Installation von sau übersprungen
    Modul: Install
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:50
    Meldung: Installation von mcsep übersprungen
    Modul: Install
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:50
    Meldung: Download-Phase abgeschlossen
    Modul: Update
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:42
    Meldung: Download von Produkt Endpoint Security and Control vom Server Sophos
    Modul: Update
    Prozess-ID: 12552
    Thread-ID: 8372

    Zeit: 22.11.2018 20:43:41
    Meldung: ***************          Sophos AutoUpdate gestartet          ***************
    Modul: SophosUpdate
    Prozess-ID: 12552
    Thread-ID: 8372

    How can I check if the pattern files are updated correctly?

    Kind Regards

    TheExpert

  • Hello TheExpert,

    übersprungen (skipped) is the normal action if there are no new updates (and you can expect these not more often than every few hours).

    Please see the How to check if you're receiving the latest data protection updates article.
    Windows Security Center shows an error
    Could you post the exact wording?

    Christian

  • Hello QC,

    yes, I know that if there are no updates the update will be skipped, but even today the patterns still aren't updated! The UTM shows "outdated" on the Endpoint Protection dashboard. And the Windows Security Center shows "Maßnahmen erforderlich" ("Action required") for Sophos Anti-Virus. There are no more details.

    I tried to check the file inje-dsf.ide (see your link) but I can't find this file. There are a lot of other *.ide files and their file dates are from 12.11.2018 and earlier! I think after more than 2 weeks there have to be new pattern updates available. Or am I wrong?

    Kind Regards

    TheExpert

  • In fact, UTM Endpoint is on its way out and will not be supported after 31 Dec 2019.  Commercial customers (I know about North America and only suspect that this is worldwide) will learn in the coming week that no UTM Endpoint renewals will be sold after the end of this month, 31 Dec 2018.  Paid subscriptions for UTM Endpoint can be transitioned at any time to CEP - see How to migrate from UTM Endpoint Protection to Sophos Central Endpoint Protection.

    Just as Toni said above, the preferred solution for home users is Sophos Home which is superior to UTM Endpoint as he explains.  If at first you don't succeed, you might need the batch file below to remove UTM Endpoint (works for Win 7).  Would the first home user that tries this transition please report back here with any difficulties and if removal of UTM Endpoint was necessary.

     To uninstall the Sophos 10/11 in Windows 7 64-bit:

     @Echo Off
     net stop "Sophos AutoUpdate Service"
     net stop "Sophos Anti-Virus"
     net stop "Sophos Anti-Virus status reporter"
     net stop "Sophos Device Control Service"
     net stop "Sophos MCS Agent"
     net stop "Sophos MCS Client"
     net stop "Sophos Web Control Service"
     net stop "Sophos Web Intelligence Update"
     net stop "swi_service"
     net stop "swi_update_64"
    REM Sophos Management Communications system - DELETE for V11 - KEEP for V10 -
     MsiExec.exe /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos Management Communications system - DELETE for V10 - KEEP for V11 -
     MsiExec.exe /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179}
    REM Sophos Anti-Virus
     MsiExec.exe /X{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt
    REM Sophos AutoUpdate
     MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt

    Same for Windows 32-bit except "swi_update" instead of "swi_update_64"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    thank you for your information. But this isn't a solution of my issue. Even if the software won't be supported after 31 Dec 2019 it should get pattern updates until this time! And my question is now why it doesn't get pattern updates anymore and how could I check and solve for getting the updates again?

    For the furtue I don't think that I will use Sophos Home because it doesn't fit my requirements. But for now I want to use the Sophos UTM Endpoint Protection and will migrate to another solution in the next months.

    Kind Regards

    TheExpert

  • Hello TheExpert,

    the GUI's updating log doesn't give much insight, especially when updating from Sophos.
    Furthermore, as said, the log from 22.11.2018 doesn't show download errors. Please check the more verbose ALUpdate2018.... log (%ProgramData%\Sophos\AutoUpdate\Logs\), this should have some hint what's going on (if you post only part of it please make sure it includes a complete cycle).

    Christian

  • You might fix this behavior by clicking on [Reset Registration Token] on the 'Advanced' tab of 'Computer Management'.  If that doesn't work, uninstall and re-install Endpoint.

    Any luck with any of that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Christian,

    again, as written earlier, there's no ALUpdate... log file in the folder %ProgramData%\Sophos\AutoUpdate\Logs\.

    Kind Regards

    TheExpert

  • Hi BAlfson,

    you mean the Reset Registration Token at the UTM? Then I have to reset the registration of all the Sophos agents and I'm not sure if this will help because the update procedure itsself is working and communicates with the Server without any error messages. But I will try this and will give you feedback.

    But the re-installation of the Endpoint isn't a really nice idea. The installation package doesn't install the Endpoint properly on Windows 10. When I have to uninstall Sophos Endpoint Protection then I will let it uninstalled and switch to Microsoft Defender. The last AV test results aren't bad.

    Kind Regards

    TheExpert

  • The UTM Endpoint will go End of Life next year.

    https://community.sophos.com/kb/en-us/133049

    You should be able to simply "Overinstalling" the Central Home Endpoint. https://community.sophos.com/kb/en-us/133049

     

    __________________________________________________________________________________________________________________