Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 15878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV installer failing

RIMAdministrator

Hello all,

In one of our offices, I have tried to install the Sophos "AV" client (version 1.5.0.656) on a few machines.  I have downloaded the executable from Sophos Cloud and currently trying to manually install (will later deploy via GPO to entire domain - 7 offices/subnets).  The installation seems to be successful in the other offices, but not in this particular office (in Guam - not sure if that distinction is important here).

The "Sophos Endpoint Security and Control" installer indicates all tests pass, and when it concludes, it states:  "Installation is almost Complete....... An internet connection is required for registration, updates and configuration.......".  The installation never seems to complete beyond that (no AV directory, unable to open Sophos Endpoint Security and Control.

  1. Able to access internet via browser.
  2. Able to access all 8 .sophosupd.net/.com sites.
  3. Network perimeter:  SG210
  4. Seems that AWS is NOT being explicitly blocked.
  5. Have reviewed SophosUpdate.log, alc.log, McsAgent.log and McsClient.log.  Unsure how to interpret.
    1. WARN  HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
    2. ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    3. Message: ERROR:   Download of Endpoint Security and Control failed from server Sophos
  6. Unsure if this was correct/needed, but added the 8 .sophosupd sites as DNS hosts to network group and added network group to skip source and destination "transparent" lists.  Prior Web filter logs indicated such entries to sophosupd as "pass".  Currently running transparent proxy with no authentication.

I am sure I am missing some information here to help troubleshoot.  Did find some articles in Sophos knowledgebase, but did not seem to help.

Any help is appreciated,



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Can you make available the SophosUpdate.log file?  A Pastebin link would do.

    Regards,

    Jak

  • 0 in reply to jak

    Part 1:  http://pastebin.com/3kabR8k4

    and if needed:

    Part 2:  http://pastebin.com/zE1h2AmK

    Thank you Jak for taking the time to assist.

  • 0 in reply to RIMAdministrator

    HI,

    Thank you for the logs...

    Initially the following error was seen:

    2016-03-31T04:37:41.666Z [ 4552] ERROR SUL-Log [E83521] Cannot create stream b054be0903e2d63298fd8776c71a76bbx000.xml
    2016-03-31T04:45:22.667Z [ 6100] ERROR SUL-Log [E83521] Cannot create stream b054be0903e2d63298fd8776c71a76bbx000.xml
    2016-03-31T04:53:07.975Z [ 3820] ERROR SUL-Log [E83521] Cannot create stream b054be0903e2d63298fd8776c71a76bbx000.xml
    2016-03-31T05:40:24.268Z [ 6356] ERROR SUL-Log [E83521] Cannot create stream b054be0903e2d63298fd8776c71a76bbx000.xml

    Then....

    2016-03-31T06:41:03.793Z [ 4504] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T07:41:24.370Z [ 6268] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T08:41:22.969Z [ 2324] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T09:41:19.268Z [ 3700] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T10:41:18.854Z [ 4148] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T11:41:18.088Z [ 6268] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T12:41:24.528Z [ 6456] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T13:40:53.513Z [ 6380] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T14:41:16.636Z [ 2360] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T15:40:51.471Z [ 2572] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T16:41:14.514Z [ 5116] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T17:41:09.854Z [ 1324] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T18:19:38.984Z [ 4356] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T18:36:38.955Z [ 6424] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T19:40:39.078Z [ 6716] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T20:40:41.009Z [ 5912] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T21:17:55.976Z [ 3140] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T21:40:44.455Z [10100] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product
    2016-03-31T22:40:42.641Z [ 2096] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product

    I wonder if the initial issue caused the second?  Have you tried deleting the directory:

    C:\programdata\sophos\Autoupdate\warehouse

    and the file:

    C:\programdata\sophos\Autoupdate\status\SohosUpdateStatus.xml

    and then force and update?

    Regards,

    Jak

  • 0 in reply to jak

    Hello Jak,

    Deleted "C:\programdata\sophos\Autoupdate\data\warehouse" and "C:\programdata\sophos\Autoupdate\data\status\SohosUpdateStatus.xml" and ran update again.  Same issue on multiple machines (and just to be clear - we are not able to install successfully on any of the machines at that office with one exception - one of the laptops was rebuilt at our office "Alaska", and we installed Sophos Endpoint and Security Control while here.  It seems to be running fine now at the Guam location).  Could there be some sort of "GeoID" issue here, while machines in the Guam office are trying to connect to "Sophos Cloud" to complete initial install?

    2016-04-01T19:25:08.478Z [ 9916] ERROR SUL-Log [E79514] Cannot create stream 237ca6e7b5cd9ca7a4bedc198003eee4x000.xml
    2016-04-01T19:25:09.616Z [ 9916] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product

    STATUS UPDATE:

    Since the day/time difference between us and Guam (it is there Saturday 5:50am) and they are currently closed, we were able to safely disable the following items on Guam's SG210 UTM:

    Country Blocking, Advanced Threat Protection, Intrusion Prevention, Anti-Portscan, Web Filtering, Application Control, and FTP.

    And now the update completes successfully on each machine.  So now my question changes a bit.  Which of the above items that have been disabled, would most likely be the "culprit"?  Our best guess (due to the fact that all 7 of our UTMs are almost identical in their configurations, with obvious differences - and we have had successful installs behind the other UTMS), that maybe it is Country Blocking and that the Guam location install is trying to communicate to a location we have blocked?

Reply
  • 0 in reply to jak

    Hello Jak,

    Deleted "C:\programdata\sophos\Autoupdate\data\warehouse" and "C:\programdata\sophos\Autoupdate\data\status\SohosUpdateStatus.xml" and ran update again.  Same issue on multiple machines (and just to be clear - we are not able to install successfully on any of the machines at that office with one exception - one of the laptops was rebuilt at our office "Alaska", and we installed Sophos Endpoint and Security Control while here.  It seems to be running fine now at the Guam location).  Could there be some sort of "GeoID" issue here, while machines in the Guam office are trying to connect to "Sophos Cloud" to complete initial install?

    2016-04-01T19:25:08.478Z [ 9916] ERROR SUL-Log [E79514] Cannot create stream 237ca6e7b5cd9ca7a4bedc198003eee4x000.xml
    2016-04-01T19:25:09.616Z [ 9916] ERROR SDDSDownloader::ReportSyncFailure Failed to distribute product

    STATUS UPDATE:

    Since the day/time difference between us and Guam (it is there Saturday 5:50am) and they are currently closed, we were able to safely disable the following items on Guam's SG210 UTM:

    Country Blocking, Advanced Threat Protection, Intrusion Prevention, Anti-Portscan, Web Filtering, Application Control, and FTP.

    And now the update completes successfully on each machine.  So now my question changes a bit.  Which of the above items that have been disabled, would most likely be the "culprit"?  Our best guess (due to the fact that all 7 of our UTMs are almost identical in their configurations, with obvious differences - and we have had successful installs behind the other UTMS), that maybe it is Country Blocking and that the Guam location install is trying to communicate to a location we have blocked?

Children
  • 0 in reply to RIMAdministrator

    Another STATUS UPDATE:

    In the spirit of trouble-shooting to try and isolate the cause, we only disabled one of the controls at a time (Country Blocking, Advanced Threat Protection, Intrusion Prevention, Anti-Portscan, Web Filtering, Application Control, and FTP).  Disabling Country Blocking seemed to have no affect on the issue.  When we disabled Web Filtering only, the installer completed successfully.  We went through each setting within the Web Filter, comparing with another UTM that the installs have been consistently successful.  We could not locate a setting that was different, that should have any affect on this.  Are there any logs (UTM or Sophos Endpoint) that would assist in finding what is maybe being blocked?  I found numerous Web Filtering entries that I haven't a clue if it is related or not, but the source IP did match a machine that we were unable to install on:

    http://172.16.3.200/StableWSDiscoveryEndpoint/schemas-xmlsoap-org_ws_2005_04_discovery being blocked (error="Connection to server timed out")

  • 0 in reply to RIMAdministrator

    Final STATUS UPDATE:

    We believe we found the "culprit" that was not allowing the Sophos cloud installer to complete.  Within the UTM, Web Protection>Filtering Options>Exceptions tab>Sophos Services:  "Skip these checks", Caching was not selected.  Once selected, the installers were able to complete successfully.

Unfiltered HTML