This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint won't update, register or even delete from the UTM 9.506-2

I have been fighting with an issue with using Endpoint Protection, and I'm convinced that the issue isn't on my end so I really need some help in resolving this.

 

Almost 2 weeks ago I discovered that the agent's weren't getting updates, so I began working through the issue and I thought it my be Cert related, and I attempted a few fixes but to no avail. So after further troubleshooting it appears that the updates/registration requests are being denied by Sophos servers - If you'd like to review everything up to this point it's https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/98271/no-longer-updating---ssl-cert-not-trusted

 

So today since I was getting no response and no support I decided forget it, I'm going to just start from scratch and completely delete everything and start over, as I only have it on a few systems as I was testing going from Avast to Sophos for my home network. Well, I can't even do that the UTM won't delete all data and allow me to start over.

Here's a copy of the log from the UTM for Endpoint Protection.

 

2017:12:06-11:38:27 utm epsecd[44070]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2017:12:06-11:38:27 utm epsecd[44070]: W id="4205" severity="warn" sys="System" sub="epsecd" name="Computer needs to register in Confd" mcs_id="829566d7-4c8e-0c7a-f724-6349ba9e39a4"
2017:12:06-11:38:27 utm epsecd[44070]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2017:12:06-11:38:28 utm epsecd[44070]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2017:12:06-11:38:31 utm epsecd[44070]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2017:12:06-11:38:31 utm epsecd[44070]: I id="4222" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect"
2017:12:06-11:43:09 utm epsecd[44070]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2017:12:06-11:43:12 utm epsecd[44070]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Endpoint log collector started"
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="No private key available yet: /var/epsecd/resources/client.pem"
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="No certificate available yet: /var/epsecd/resources/client.crt"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: 2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com/.../"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Loaded download history file"
2017:12:06-11:45:49 utm epsecd[6498]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Download endpoint logs"
2017:12:06-11:45:49 utm epsecd[6498]: >=========================================================================
2017:12:06-11:45:49 utm epsecd[6498]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="Listing [https://2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com//2099210c-e01b-3421-871a-c97d38074414/] failed with return code 6: Couldn't resolve host name Couldn't resolve host '2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com'
2017:12:06-11:45:49 utm epsecd[6498]: "
2017:12:06-11:45:50 utm epsecd[6492]: I id="4201" severity="info" sys="System" sub="epsecd" name="Epsecd starting"
2017:12:06-11:45:53 utm epsecd[6492]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Unable to get ip for sss1-e01b.broker.sophos.com: Resource temporarily unavailable"
2017:12:06-11:45:53 utm epsecd[6492]: W id="424200" severity="warn" sys="System" sub="epsecd" name="Error creating socket. " syscall_error="Resource temporarily unavailable"
2017:12:06-11:45:53 utm epsecd[6492]: >=========================================================================
2017:12:06-11:45:53 utm epsecd[6492]: E id="4281" severity="crit" sys="System" sub="epsecd" name="Unexpected error: No internet connection. at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 148." effect="Can't talk to Sophos LiveConnect"
2017:12:06-11:45:53 utm epsecd[6492]:
2017:12:06-11:45:53 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:45:53 utm epsecd[6492]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:45:53 utm epsecd[6492]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:45:53 utm epsecd[6492]:  4. main::top-level:63() client.pl
2017:12:06-11:45:53 utm epsecd[6492]: <=========================================================================
2017:12:06-11:45:53 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 180 seconds"
2017:12:06-11:49:00 utm epsecd[6492]: >=========================================================================
2017:12:06-11:49:00 utm epsecd[6492]: E id="4286" severity="crit" sys="System" sub="epsecd" name="Unknown report data received from Sophos LiveConnect" data="$VAR1 = {
2017:12:06-11:49:00 utm epsecd[6492]:           'operation' => 'Unauthorized'
2017:12:06-11:49:00 utm epsecd[6492]:         };"
2017:12:06-11:49:00 utm epsecd[6492]:
2017:12:06-11:49:00 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:49:00 utm epsecd[6492]:  2. Epsec::Logic::Client::_receive_reports:447() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  3. Epsec::Logic::Client::_request:1261() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  4. Epsec::Logic::Client::_start:288() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  5. Epsec::Logic::Client::on_load:43() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:49:00 utm epsecd[6492]:  6. (eval):53() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:49:00 utm epsecd[6492]:  7. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:49:00 utm epsecd[6492]:  8. main::top-level:63() client.pl
2017:12:06-11:49:00 utm epsecd[6492]: <=========================================================================
2017:12:06-11:49:00 utm epsecd[6492]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-11:49:00 utm epsecd[6492]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-11:49:00 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"
2017:12:06-11:52:32 utm epsecd[6492]: I id="420X" severity="info" sys="System" sub="epsecd" name="Epsecd stoping"
2017:12:06-11:52:32 utm epsecd[6492]: I id="4231" severity="info" sys="System" sub="epsecd" name="Syncing SWC with web control global status "
2017:12:06-11:52:32 utm epsecd[6492]: I id="4234" severity="info" sys="System" sub="epsecd" name="Disabled Sophos Web Control sub-feature"
2017:12:06-11:52:32 utm epsecd[6492]: >=========================================================================
2017:12:06-11:52:32 utm epsecd[6492]: E id="4281" severity="crit" sys="System" sub="epsecd" name="Unexpected error: Can't use an undefined value as a symbol reference at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 1295." effect="Can't talk to Sophos LiveConnect"
2017:12:06-11:52:32 utm epsecd[6492]:
2017:12:06-11:52:32 utm epsecd[6492]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-11:52:32 utm epsecd[6492]:  2. Epsec::Logic::Client::on_error:1461() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-11:52:32 utm epsecd[6492]:  3. Epsec::Logic::Base::run:60() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-11:52:32 utm epsecd[6492]:  4. main::top-level:63() client.pl
2017:12:06-11:52:32 utm epsecd[6492]: <=========================================================================
2017:12:06-11:52:32 utm epsecd[6492]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 180 seconds"
2017:12:06-11:55:16 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Endpoint log collector started"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: 2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com/.../"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Loaded download history file"
2017:12:06-11:55:17 utm epsecd[6365]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="Download endpoint logs"
2017:12:06-11:55:17 utm epsecd[6365]: >=========================================================================
2017:12:06-11:55:17 utm epsecd[6365]: W main::_log:435() =>  severity="warn" sys="System" sub="eplog" name="Listing [https://2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com//2099210c-e01b-3421-871a-c97d38074414/] failed with return code 6: Couldn't resolve host name Couldn't resolve host '2099210c-e01b-3421-871a-c97d38074414-wdx-e01b.broker.sophos.com'
2017:12:06-11:55:17 utm epsecd[6365]: "
2017:12:06-11:57:44 utm epsecd[8240]: I id="4201" severity="info" sys="System" sub="epsecd" name="Epsecd starting"
2017:12:06-11:57:50 utm epsecd[8240]: I id="4229" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy"
2017:12:06-11:57:50 utm epsecd[8240]: I id="4230" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Resources"
2017:12:06-11:57:54 utm epsecd[8240]: I id="4231" severity="info" sys="System" sub="epsecd" name="Syncing SWC with web control global status 1"
2017:12:06-12:08:28 utm epsecd[8240]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-12:08:28 utm epsecd[8240]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-12:08:28 utm epsecd[8240]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"
2017:12:06-12:13:30 utm epsecd[8240]: >=========================================================================
2017:12:06-12:13:30 utm epsecd[8240]: E id="4286" severity="crit" sys="System" sub="epsecd" name="Unknown report data received from Sophos LiveConnect" data="$VAR1 = {
2017:12:06-12:13:30 utm epsecd[8240]:           'operation' => 'Unauthorized'
2017:12:06-12:13:30 utm epsecd[8240]:         };"
2017:12:06-12:13:30 utm epsecd[8240]:
2017:12:06-12:13:30 utm epsecd[8240]:  1. Epsec::Utils::Logging::_log:59() /</usr/local/bin/epp_client.plx>Epsec/Utils/Logging.pm
2017:12:06-12:13:30 utm epsecd[8240]:  2. Epsec::Logic::Client::_receive_reports:447() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  3. Epsec::Logic::Client::_request:1261() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  4. Epsec::Logic::Client::_start:288() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  5. Epsec::Logic::Client::_receive_reports:442() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  6. Epsec::Logic::Client::on_run:320() /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm
2017:12:06-12:13:30 utm epsecd[8240]:  7. (eval):55() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-12:13:30 utm epsecd[8240]:  8. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2017:12:06-12:13:30 utm epsecd[8240]:  9. main::top-level:63() client.pl
2017:12:06-12:13:30 utm epsecd[8240]: <=========================================================================
2017:12:06-12:13:30 utm epsecd[8240]: W id="4202" severity="warn" sys="System" sub="epsecd" name="Quit recieved from Sophos LiveConnect"
2017:12:06-12:13:30 utm epsecd[8240]: I id="4223" severity="info" sys="System" sub="epsecd" name="Closing socket to Sophos LiveConnect"
2017:12:06-12:13:30 utm epsecd[8240]: I id="4210" severity="info" sys="System" sub="epsecd" name="Sleeping for 300 seconds"



This thread was automatically locked due to age.
  • Sorry for the confusion, what I was saying was not that I couldn't remove it from the endpoint, I couldn't delete the data from the UTM - I could only disable it and keep data, not disable and delete data.

  • Bueller? Bueller? No help? Silence on the wire?

  • I have officially given up on UTM Endpoint Antivirus.

    I have Turned OFF "Endpoint Protection" in UTM and "Sophos Endpoint Security and Control" is out the ####ing door.

    As of 31 Dec 2017 - I do not recommend the installation of the Endpoint Protection AKA "Antivirus" via Home UTM 9.506-2 - seems to be a birds-nest of confusion and not only for me but many many others in the forum.

    Not even sure if the virus Data files have been updating at all and as for protection???

    So after multiple attempts to reinstall from a fresh new installer (Slim "Ver 1.5.1.6" and Full "Ver 1.2.2.20") etc etc etc This is what I get:

    Sophos Anti-Virus 10.3.3.121
    On-access status Enabled
    Detection engine 3.47.3
    Detection data 4.94G
    Virus data date 9/10/2013
    Items detected 5819521
    Detection identities 0
    HIPS rules version 10.2.0
    HIPS configuration version 1.0.5
    Last updated 31/12/2017 11:08:00 a.m.

    Keeps TRYING to get the files from dci.sophosupd.com/cloudupdate which does not exist

    But dci.sophosupd.net/cloudupdate DOES Exist but I cant configure it to use the valid location...

    As does the default setting for the update - d3.sophosupd.com/.../sdds.utm_91_ug2.xml DOES NOT EXIST but d3.sophosupd.net/.../sdds.utm_91_ug2.xml does. ... but changing the settings in the iconn.cfg does nothing.

    ... I'll try Sophos Home AV....

  • I'm running into this and other problems. 

    I, too, am finding "host not found" when attempting to update and/or install the Endpoint Protection Suite from the UTM.

    I agree with your conclusion.  The poor quality of this product and the attitude that we should only feel grateful its use are not acceptable.

    Switching to a more reliable vendor for security is in order.

  • This will delete the Endpoint Protection configuration on your UTM:

    Management -> System settings -> Reset configuration or passwords -> Reset UTM ID now

    If it fails, at least it tells you for what reason. You should fix this and try to Reset UTM ID again until it works.

    If done you can enabel Endpoint Protection and install clients with the new created Endpoint Agent - Installation Package link in Computer Management section.

  • Thanks Tom. I did try, and I don't recall the exact issue I had when trying this but things still failed. Unfortunately this ship has sailed and I went back to Avast and purchased a license. For what ever reason Sophos let me down on this - I would have liked to have integrated my AV into my UTM but now I'm using a competing product so it's probably best to have multiple AV's watching on my network anyways.

  • Thanks Tom,

    I followed your advise, and it seems to work. Had almost given up hope too.
    One Win7 and one Win10 install are updating now, no errors

    I will wait to mark this as answer until others have the same result.