Troubleshooting Sophos Anti-Virus Endpoint issues managed by Sophos UTM

  • Article ID: 117523
  • Rating:
  • 9 customers rated this article 2.7 out of 6
  • Updated: 20 Aug 2014

This article explains how to troubleshoot the most common problems which can occur with the managed installation of Sophos Endpoint Security and Control using Sophos UTM 9.

Known to apply to the following Sophos product(s) and version(s)

UTM Managed Endpoint (Windows 2000+)
Sophos UTM v9

What To Do

Select from the links provide below which you wish to troubleshoot.

•  Installations issues •  Endpoint fails to register •  Endpoint fails to update
•  Endpoint(s) are not visible within the UTM or incorrectly show as disconnected •  CRT (Competitor Removal Tool) issues •  Logging

Most common Installation issues

Issue Explanation
Renaming the installer file name. If you rename the file you will see an error message with the installation wizard stating that it cannot proceed. The filename includes a token which maps the endpoint to your UTM via Sophos LiveConnect, by changing the file name this will not happen.

The filename must match the name stated from the original download on the UTM.

The filename includes a token. For example: SophosMcsEndpoint_Q88J89F8H13B9b69e.exe contains a thirteen character token used for the installation. In this case the token is Q88J89F8H13B9 which starts after the underscore character in the filename.
Insufficient rights to complete the installation.
If you attempt to run the installation without administrator rights the installation wizard will fail to proceed.

See article 117522 for further details on deployment methods.
Other unable to proceed errors and installation problems.
If when the running the installer package you encounter an error with the installation, see the following logs:

Sophos Endpoint Bootstrap_timeanddate.txt
Sophos Extract Log_timeanddate.txt


They are located in the temp folder of the users profile in which the installation was ran.  To view these files and verify the contents, select Start | Run | Type: %temp% | Press return.

These logs should confirm the error generated.  See article 117619 for further information.
Existing Sophos software installation on endpoint computer.
If you encounter further installation errors with an existing endpoint see the Sophos AutoUpdate logs to confirm which component is failing to install.

Details of viewing Sophos AutoUpdate logs can be found in article 43391.  Once you have established which component is failing to install, navigate to C:\Windows\Temp\ and review the logs.

The user's profiles temp folder will include logs for Sophos AutoUpdate, Sophos MCS Install and Sophos Anti-virus Install log.  To access the temporary folder of the user's profile in which the installation was ran select Start | Run | Type: %temp% | Press return.

If you require further assistance download the Sophos Diagnostic Utility on the affected endpoint using article 33533 and send to Sophos Technical Support.

Endpoint fails to register

During installation the Sophos Management Communication System may fail to register with Sophos LiveConnect to obtain the update source and credentials required.

This means that the Sophos Endpoint Security and Control installation fails to update as the primary update location shows no configured address or username/password details (to check open Sophos Endpoint Security and Control and click on 'Configure Updating'). Example:

If the details are blank follow article 118987.


Endpoint fails to update

If the endpoint has successfully registered with the Sophos LiveConnect, the primary update location within Sophos AutoUpdate will be configured with the centrally configured updating policy.  See article 11056 for further information on how to verify the location set for updating.

The address set should contain: http://d3.sophosupd.com/update

If the address and credentials are configured check the Sophos AutoUpdate log for further errors.

For invalid or expired credentials the log will say “unable to authenticate user”. Please check if the Endpoint Client is linked to an UTM with a valid license. If the Endpoint Client is no longer linked to a valid UTM, please re-install the Endpoint Client with an installer downloaded from a valid UTM you want the Endpoint Client to connect to.

For connection problem to the warehouse the log will say “cannot find <IP-address/Hostname>". Please check if the Endpoint Client is able to connect the Internet on port 80.

See article 43391 for further information.

If the address is blank see section Endpoint fails to register.


Endpoint(s) are not visible/show as disconnected within the UTM Endpoint Protection Status page

If the endpoints have been protected with the installer package and are not displayed on the status page within the UTM, check the following for any errors:

Endpoint Logs:

MCSAgent.log and MCSClient.log files.  See article 43391 for their folder locations.

As part of the initial registration with Sophos LiveConnect the endpoint will receive a MCS ID as an endpoint identity. You can verify the identity by checking the MCSClient.log which may be renamed to MCSClient.log.1 over a period of time.

This will then help assist troubleshooting within the UTM Endpoint Protection Live Log, if there are no errors shown within the MCS logs.

Within the MCS client logs if there are successful connections you will see:

2012-06-20T11:17:37.428Z [ 1960] INFO StatusHandler::SendData About to send the request to the server.
2012-06-20T11:17:37.428Z [ 1960] INFO HttpServer::SendRequest The HTTP request was initiated successfully.
2012-06-20T11:17:37.646Z [ 3028] INFO HttpServer::HttpEventCallback The HTTP request completed with status 200.

However if there an error you may see some warnings like:

2012-06-20T13:44:24.195Z [ 3660] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0.
2012-06-20T13:44:24.195Z [ 3660] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.

On the UTM:

Within the UTM dashboard select 'Endpoint Protection' from the left-hand pane and then select 'Open Endpoint Protection live log'.

Verify whether there is any data shown for the MCS id of the endpoint affected or any other connection issues with Sophos LiveConnect.

You can see a historic log for the endpoint protection by choosing 'Logging & Reporting' from the left-hand pane in the dashboard and then select 'View Log Files'. You can select Live Log or View for the Historic log.

If there is a connection issue you may see an error log:

2012:06:22-11:38:19 v9 epsecd[5337]: 5. Epsec::Logic::Base::run:52() /</usr/local/bin/epp_client.plx>Epsec/Logic/Base.pm
2012:06:22-11:38:19 v9 epsecd[5337]: 6. main::top-level:62() client.pl
2012:06:22-11:38:19 v9epsecd[5337]: |=========================================================================
2012:06:22-11:38:19 v9 epsecd[5337]: E id="4281" severity="critical" sys="System" sub="epsecd" name="No internet connection. at /</usr/local/bin/epp_client.plx>Epsec/Logic/Client.pm line 89." effect="Can't talk to Sophos LiveConnect"
2012:06:22-11:38:19 v9 epsecd[5337]:

If you encounter any errors or warnings within the logs above confirm:

The endpoints have access to port 443 and can access to the Sophos LiveConnect address as shown in 118987.

The UTM has a connection to the Sophos LiveConnect, if there are connection issues or if you need further assistance  contact Sophos Technical Support.


CRT (Competitor Removal Tool) issues

When running the installation package, there is a tick box for 'Remove conflicting third-party security software'. When this option is selected the Sophos Installation will attempt to remove any detected third-party security software which will prevent the Sophos installation package from completing.

If there is a problem with detecting or removing please see the avremove.log for more details.

The log is located in the temp folder of the users profile in which the installation was ran.

Navigate to Start | Run and enter %temp% and select "ok" to see the file. See article 112662 for more information on list of supported products for detection.


Logging

Endpoint

Download the Sophos Diagnostic Utility from article 33533 and run the affected endpoint to capture the required logs for Sophos Technical Support.

UTM

Within the UTM dashboard select Endpoint Protection from the left-hand pane and then select 'Open Endpoint Protection live log'.

You can see a historic log for the endpoint protection by choosing Logging & Reporting from the left-hand pane in the dashboard and then select 'View Log Files'. You can select Live Log or View for the Historic log.

If there are any errors or warnings shown, copy and paste from the UTM logs and send to Sophos Technical Support.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments