EP can't update on all clients

Question

Hi guys

At two different sites, I have an UTM Home running on identical hardware and firmware (currently 9.315-2), but of course an independent license.

[:)] At Site A, there are 3 clients with "Endpoint Protection" installed. They are updating themselves frequently and are currently running version 11.0.5 UTM.

[:@] At Site B, there are 6 clients (Windows 7) with "Endpoint Protection" installed. They all recently started showing up as "Out-of-date" in the Endpoint Protection Status - investigation shows that they all stopped receiving updates around July 27/28 and are still running version 10.3 UTM.

The following messages are visible in the log at all Site B clients upon the hourly update check:

Zeit: 20.09.2015 17:49:08
Meldung: AutoUpdate abgeschlossen
Zeit: 20.09.2015 17:49:08
Meldung: Download-Phase abgeschlossen
Zeit: 20.09.2015 17:49:08
Meldung: FEHLER: Endpoint Security and Control konnte nicht von Server Sophos heruntergeladen werden
Zeit: 20.09.2015 17:49:05
Meldung: Download von Produkt Endpoint Security and Control vom Server Sophos
Zeit: 20.09.2015 17:49:02
Meldung: *************** Sophos AutoUpdate gestartet ***************

It states that it can't download "Endpoint Security and Control" from server.

However, when I trigger an update manually by right-clicking on the taskbar logo and "Jetzt updaten (Update now)", a window opens up which shows that it is actually downloading a file (see attachment "sophos01.png") before the messages changes into "Keine Verbindung zum Server (No connection to server)" (see attachment "sophos02.png").

Things I've tried already with no success:
- Reset the registration token for Endpoint Protection at the affected UTM.
- Disabled the Windows Firewall.
- Made the client bypass the proxy.
- Checked the Windows Event Viewer for related events.

Recently installed Endpoint Protection can't even get the actual software downloaded.

Is there a way to get a more detailed log from the Endpoint Protection? The fact that it tells me it "can't download the file" but is actually downloading confuses me...

What could be the cause of this situation?
How might I be able to fix it?

Every reply is greatly appreciated!

Have a great day!

This thread was automatically locked due to age.

BAlfson · Answer

Hoi Sander - first I've seen you here - welcome to the UTM Community! 
 I think this is an error that can be repaired by using [Reset Registration Token] on the 'Advanced' tab. I believe that requires re-installing the Endpoint on all of the PCs though. 
 Here's a batch file I've used to un-install Sophos Endpoint on Win7. Note that you must delete two lines depending on whether you're removing V10 or V11. 
 @Echo Off net stop "Sophos AutoUpdate Service" net stop "Sophos Anti-Virus" net stop "Sophos Anti-Virus status reporter" net stop "Sophos Device Control Service" net stop "Sophos MCS Agent" net stop "Sophos MCS Client" net stop "Sophos Web Control Service" net stop "Sophos Web Intelligence Update" net stop "swi_service" net stop "swi_update_64" REM Sophos Management Communications system - DELETE for V11 - KEEP for V10 - MsiExec.exe /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt REM Sophos Management Communications system - DELETE for V10 - KEEP for V11 - REM MsiExec.exe /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REM Sophos Anti-Virus MsiExec.exe /X{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt REM Sophos AutoUpdate MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D} /qn REBOOT=SUPPRESS /PASSIVE /L*v %windir%\Temp\Uninstall_SAV11_Log.txt 
 Before resetting the token on the 'Advanced' tab, what happens if you uninstall using the batch file and reinstall the client? Did that fix the issue? 
 Cheers - Bob

Sander Koorneef · Answer

Hi, 
 for so far we know is Sophos still working on this issue. It's recently escalated to Sophos GES team (also acquainted to development) I heard. We indeed still have the issue so far. 
 There is, however, a valid workaround : 
 1. Copy the Warehouse folder from a working endpoint (the warehouse folder is found at C:\ProgramData\Sophos\AutoUpdate\data). 2. Paste the folder into the same location on one of the affected endpoints. 3. Force an update/run the install. 4. Check to see if the affected endpoint has now updated successfully. 
 I will keep this thread up-to-date with our findings and Sophos communication. But for so far very slow... 
 Regards, Sander.