This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Protection Wiped Logs on Windows Servers

All of our Windows Servers suddenly started displaying empty Endpoint Protection logs on the Servers themselves. The UTMs look normal. It happened sometime between 30 July 2017 at 13:00 UTC, and 1 August 2017 at 01:00 UTC. (Local time: between Sunday, 30 July 2017 at 6:00 AM PDT and Monday afternoon 31 July 2017 at 17:00 PDT.) 

To see the logs, I do the following:

* Launch the Sophos Endpoint Protection and Control application.

* Click on "View anti-virus and HIPS log."

Normally I see a list showing the results of the nightly anti-virus scans. I saw good logs on Sunday morning for two different servers, which run different versions of Windows Server and are kept fully updated. By Monday afternoon (a few hours ago), the log windows were empty. 

I checked other servers, and the same thing is true on all of them - the logs are empty. Those servers are in a completely different location. The groups of servers are completely independent of one another, and all show the same empty log windows. I found another way to view the previous night's log on one server, and it looks normal.

I think there is a bug in the Windows version of Sophos Endpoint Protection, which must have been updated on Sunday (30 July 2017) or perhaps on Monday. I suspect that it wiped the logs, or the buggy version of Endpoint Protection refuses to display them. 

Can someone else confirm this issue, please?



This thread was automatically locked due to age.
Parents
  • Update: I checked the logs this morning, and all servers had log entries for last night's anti-virus checks only. Except for those single entries, the logs were empty.

    Based on that, I assume that a bug in a recent Sophos Endpoint Protection update actually wiped the logs between Sunday 30 July 2017 and Monday 31 July 2017. The logs are now repopulating with new entries again. I will continue to check for the next few days to make sure that all anti-virus checks are being logged. 

    Am I the only one who runs nightly anti-virus checks on critical servers?

    By the way, we have paid Premium Support from Sophos. We rarely use it (perhaps once or twice a year at most). I called Sophos when I thought the problem might be a hacker trying to cover his/her tracks. The support person promised to follow up and have a US-based technical support person with detailed product knowledge call me this morning at 7:30 AM PDT to follow up. It is now 8:20 AM PDT. Sophos has not called yet. I am sorry to say that I am not surprised that they did not keep their promise.

    -> I would appreciate confirmation from someone who also saw the same log-wiping event. Anyone? Please?

Reply
  • Update: I checked the logs this morning, and all servers had log entries for last night's anti-virus checks only. Except for those single entries, the logs were empty.

    Based on that, I assume that a bug in a recent Sophos Endpoint Protection update actually wiped the logs between Sunday 30 July 2017 and Monday 31 July 2017. The logs are now repopulating with new entries again. I will continue to check for the next few days to make sure that all anti-virus checks are being logged. 

    Am I the only one who runs nightly anti-virus checks on critical servers?

    By the way, we have paid Premium Support from Sophos. We rarely use it (perhaps once or twice a year at most). I called Sophos when I thought the problem might be a hacker trying to cover his/her tracks. The support person promised to follow up and have a US-based technical support person with detailed product knowledge call me this morning at 7:30 AM PDT to follow up. It is now 8:20 AM PDT. Sophos has not called yet. I am sorry to say that I am not surprised that they did not keep their promise.

    -> I would appreciate confirmation from someone who also saw the same log-wiping event. Anyone? Please?

Children
  • Further Update and Solution/Explanation:

    I just spoke with Sergio, who is on the Anti-virus team at Sophos. Based on what we learned together, this is not a bug. We looked in a few Sophos log directories, and figured out that logs automatically roll over at the end of the month, so the timing was coincidental. The logs were not wiped, and I can see the previous logs in the appropriate directories under C:\ProgramData\Sophos\

    My endpoint protection logs rolled over in the directory: C:\ProgramData\Sophos\Sophos Anti-Virus\Logs

    I check the logs once a week, so it is random luck that I never noticed a rollover before. That's because the window displays logs only for the previous two days or so due to the size of the window on the screen. The log entries always show that no malware was detected (0 errors, 0 items quarantined, and 0 items dealt with). Why bother to scroll up the window to look for more of the same?

    I don't know whether to call it good luck or bad luck. :-)