Sophos Endpoint Protection fails with checksum error

Hello Ashley,

do other files fail as well or are some successfully downloaded. It's, as the INFO line days, a plain .txt file and should AFAIK get downloaded to %ProgramData%\Sophos\AutoUpdate\Data\warehouse\.

Christian

A side note, when connected to another network outside the Watchguard firewall Endpoint will download and install correctly.

Ashley

3630.0ffc6f35d5af4f86f91dc62c10bfa782x000.txt

Well SAU is trying to download:

https://d1.sophosupd.com/update/0ffc6f35d5af4f86f91dc62c10bfa782x000.dat

or

http://d1.sophosupd.com/update/0ffc6f35d5af4f86f91dc62c10bfa782x000.dat

...depending on if it's using HTTP or HTTPS.  I'm pretty sure SAU in Central now uses HTTPS.

Can you download that file through a web browser that is using the same proxy, etc?

I've attached the file in question (changed .dat to .txt so it will upload) for reference (you could even just drop it in the Warehouse if you rename it back to .dat) but as you can see, it is a text file and just the Sophos Diagnostic Utility license file, declaring the use of szip.dll, etc...

If you get the file downloaded, as a check, with the inbuilt utility certutil, you can generate the MD5 of the file. E.g. 

certutil -hashfile 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat MD5
MD5 hash of 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat:
0ffc6f35d5af4f86f91dc62c10bfa782
CertUtil: -hashfile command completed successfully.

The file name should be based on the MD5 hash with x000.dat (could be x001.dat, etc.. If there was every to be a clash). 

If the file you get doesn't match then it has been corrupted/changed.  If this is the case, maybe open it with notepad and the contents might reveal why/what has changed the file.

Jak

I was able to download the file on the same computer from a web browser and it checks out with certutil. I copied the file to the warehouse and tried to run the install again and it failed again. Attached is the most recent log file.

Ashley3438.SophosCloudInstaller_20180125_194420.log

I see from the top of the log...

2018-01-25T19:44:32.2995681Z INFO : Analyzing whether to update from Sophos CDN or update cache
2018-01-25T19:44:32.2995681Z INFO : Checking access to update cache: aace-dc2.aace.com:8191
2018-01-25T19:44:32.2995681Z INFO : Updating configured to use: HTTPS
2018-01-25T19:44:32.2995681Z INFO : Update Cache Cert Path folder: C:\\ProgramData\\Sophos\\Certificates\\AutoUpdate\\Cache
2018-01-25T19:44:32.3308283Z INFO : Successfully connected to cache
2018-01-25T19:44:32.3308283Z INFO : Cache response time: 26ms
2018-01-25T19:44:32.3308283Z INFO : Analysis complete - Using update cache: aace-dc2.aace.com:8191
2018-01-25T19:44:32.3308283Z INFO : Updating from cache: aace-dc2.aace.com:8191
2018-01-25T19:44:32.3308283Z INFO : Updating configured to use: HTTPS
2018-01-25T19:44:32.3308283Z INFO : Initial download: attempting to use bulk metadata

...

then the failure, which is the same file.

2018-01-25T19:45:23.1331457Z INFO : SUL info: [I19464] Syncing file 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat: 4444 bytes: sdu/licenses.txt
2018-01-25T19:45:23.9331678Z INFO : SUL info: [I19464] File 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat: sync failed
2018-01-25T19:45:23.9331678Z WARNING : SUL error: [E73342] Checksum error: 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat: wrong size: saw 1, expected 4444
2018-01-25T19:45:23.9486997Z INFO : Command 'Download' completed with failure with reboot code '0' and error message 'Could not download software'.
2018-01-25T19:45:23.9486997Z ERROR : Installation failed.

So the files are coming from an update cache -  aace-dc2.aace.com:8191

Out of interest, what happens if you set the host file (C:\Windows\System32\drivers\etc\hosts) on a failing client to fail to resolve aace-dc2.aace.com.  For example just set the host file to be something like:

10.1.1.2  aace-dc2.aace.com

Ensure that pining that location using ping aace-dc2.aace.com goes to the "new" address.  Then trying to install, does it then go straight to Sophos and work?

Other option would be to firewall port 8191 on the update cache computer for a moment or disable the NIC or turn it off, etc...

Just looking at: 

https://community.sophos.com/kb/en-us/122577

I wounder if you can find the "corrupt" file in C:\ProgramData\Sophos\UpdateCache\www\warehouse\.  Maybe you can delete it, clear the update cache somehow if this is the issue?  Sorry I don't have one handy to try a few things.

Regards,

Jak

Well, interestingly enough that worked. Generated a lot more traffic across the firewall and completed successfully. So why is my cache server blocking new installs but old clients can still update?

Glad that explains a few things.  I would guess that existing installs have the file in question, they know locally from manifest files they don't need it.  Only new installs would need to fetch it.

Without a update cache to reference I can only suggest:

1. See if you can find the problem file in the update cache warehouse and see if it is corrupt.  I.e. the MD5 checksum of the file doesn't match the name.

2. Maybe replace it with the good file and force an update now of the Update cache.

3. Look to re-build the update cache warehouse.

Regards,

Jak

Jak,

Thank you VERY much for all of this. I will investigate the last suggestions about the cache. I've been thinking about moving it to a new server anyway so now may be the time. WSUS is on this server as well and I keep running out of hard disk space so that may be part of the issue. I'll post any update when I finish.

Ashley

Quick update. The suspect file did not appear to be in the warehouse on the cache server. I have removed the cache from this server and am installing it on another one. I'll test a new install tomorrow.

Ashley

No problem, I would be really interested to see on the server aace-dc2 what is in the file 0ffc6f35d5af4f86f91dc62c10bfa782x000.dat in the "warehouse" directory.  I assume from that KB article it is in this directory:

C:\ProgramData\Sophos\UpdateCache\www\warehouse\

Maybe you could open it in Notepad.

Regards,

Jak

That is the correct path but the file did not exist in there. I suspect there was a corrupt download at some point and it was never downloaded.

Ashley

UPDATE: I removed the old server from being a sophos cacheing server and added a new one. Installing a new client this morning went flawlessly.

Thanks again Jak!

Ashley

UPDATE: I removed the old server from being a sophos cacheing server and added a new one. Installing a new client this morning went flawlessly.

Thanks again Jak!

Ashley