Sophos Anti-Virus for Windows: Error loading configuration data

  • Article ID: 114042
  • Rating:
  • 3 customers rated this article 4.3 out of 6
  • Updated: 13 May 2014

Issue

In Enterprise Console, one or more of your endpoints lists one of the following error messages:-

  • a0480001  Loading SAV Interface returned the error 0x800700b: C:\Program Files...
  • a050000c  Runtime behavior analysis is disabled because of a configuration error
  • a050000f  Failed to load suspicious behavior detection rules file '\\.\globalroot'

On Mac OS X clients, the below error is listed:

  • com.sophos.intercheck: Sophos Anti-Virus failed to load the following IDE files:
    com.sophos.intercheck: xxx.ide

First seen in

Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux

Cause

There are two scenarios where this error can occur:

  • Sophos is updating the certificate used to sign threat identity (IDE) files. The above errors will appear on computers if the installed version of Sophos Anti-Virus is out of date.
  • An IDE file downloaded to a client computer is corrupt

What To Do

The version of Sophos Anti-Virus installed on the affected computers is out of date

  1. Check the version of Sophos Anti-Virus installed on affected computers, these errors will appear if the version is VDL 4.84G or earlier
  2. In Sophos Update Manager, subscribe to a current Sophos Anti-Virus version
  3. Confirm the affected clients have now updated to the current Sophos Anti-Virus version
  4. If the clients fail to update then check that the credentials you have entered into Sophos Update Manager are correct and still valid 

An IDE file downloaded to a client computer is corrupt

If the following example error is displayed:

a0480001 Loading SAV Interface returned the error 0x800700b: C:\Program Files\Sophos\Sophos Anti-Virus\example.ide

This means the specified ide file cannot be loaded by Sophos Anti-Virus on the endpoint due to corruption. There could be further ide files on the endpoint that also fail to load. To determine this view the SAV.txt log file on the endpoint:

  • For Windows Vista and above:
    C:\ProgramData\Sophos\Sophos Anti-Virus\Logs
  • For Windows 2000/2003/XP:
    C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Logs\

This will list all individual ide files that also fail to load.

If either of the following errors are displayed:

a050000c Runtime behavior analysis is disabled because of a configuration error
a050000f Failed to load suspicious behavior detection rules file '\\.\globalroot'

This means either the HIPSConfig*.dat or HIPSRules*.bdl files cannot be loaded by Sophos Anti-Virus on the endpoint due to corruption. These errors would also be logged in the SAV.txt log file on the endpoint:

  • For Windows Vista and above:
    C:\ProgramData\Sophos\Sophos Anti-Virus\Logs
  • For Windows 2000/2003/XP:
    C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Logs\

 If a single machine is displaying alerts

  1. Access the machine
  2. Delete the file cidsync.upd from the following location:
  • For Windows Vista and above (32 and 64bit):
    C:\ProgramData\Sophos\AutoUpdate\Cache\savxp
  • For Windows 2000/2003/XP (32-bit):
    C:\Program Files\Sophos\AutoUpdate\Cache\savxp
  • For Windows 2000/2003/XP (64-bit):
    C:\Program Files (x86)\Sophos\AutoUpdate\Cache\savxp
  1. Delete the file status.xml from the following location:
  • For Windows Vista and above (32 and 64bit):
    C:\ProgramData\Sophos\AutoUpdate\data\status
  • For Windows 2000/2003/XP (32-bit):
    C:\Program Files\Sophos\AutoUpdate\data\status
  • For Windows 2000/2003/XP (64-bit):
    C:\Program Files (x86)\Sophos\AutoUpdate\Cache\savxp
  1. Right click on the Sophos shield and select Update now. Alternatively wait for the scheduled update to take place.
  2. Acknowledge the error in Sophos Enterprise Console.

If all or groups of machines are displaying alerts

Delete the contents of the following folder on the update manager maintaining the affected machines:
  • For Windows Vista and above:
    C:\ProgramData\Sophos\Update Manager\Working
  • For Windows 2000/2003/XP:
    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working
  1. Click on the Update managers button in Sophos Enterprise Console.
  2. Select the update manager that maintains the deleted update location. Right-click and choose Update Now.
  3. Acknowledge any errors in Sophos Enterprise Console.
  4. Machines will update with the non-corrupt data on their next update.

Note: If your update manager maintains multiple update locations this may take time to update.


 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments