Sophos Anti-Virus reports to windows that it is out of date

Hello Nick,

is the Last message time (in the console's Computer Details tab) recent and are the timestamps in the Up to date column (Status or Update Details tab) the same ? Are all Sophos Services (except Web Intelligence Update) running on the clients?

Christian

Sorry QC,

I'm not sure what you mean by "console" but in the server control center 'computer details' for example it reports:                                               
   Last message received from computer     11/12/2012 14:05:39
   Up to date                              Not since 09/11/2012 22:44:11
   Updating configuration                  Complies with central configuration
   Time installed package became available 07/11/2012 23:23:46
   Time next package became available      11/12/2012 15:57:30
   Primary update server                   \\WEINIGSVR\SophosUpdate\CIDs\S000\SAVSCFXP\
   Secondary update server                 Sophos

... and the desktop client updating log is empty. But hovering the mouse over the Sophos icon indicates a fresh up-date.

As for the desktop client services:

... yes they appear to be running.

Thanks for your help.

Nick

It's me who has to apologize, Nick

I'm not sure what you mean by "console"

I didn't read carefully and as you posted this to this forum (and not Small Business) I used console. Sophos Enterprise Console (SEC) is the "enterprise version" of SCC.

hovering the mouse over the Sophos icon

... gives you the last successful check for updates - i.e. the client has contacted the server, and either downloaded and installed the updates or verified that there's no new stuff. It does not indicate the time an update was applied. This can be seen on the client - open the GUI, bottom left you see View product information, in the resulting window expand Software. The last item in the list (Last updated) is the one you are looking for. From what you posted it should indicate Nov 8th or 9th. You should, BTW, see 10.2.2 for Anti-Virus, 4.84 for Detection data and (right now) 258 for Detection identities.

the desktop client updating log is empty

You mean View updating log from the GUI? This would be rather strange. You should find the logs in %ProgramData%\Sophos\AutoUpdate\Logs. Both alc.log and the newest ALUpdate...log should have a modified date corresponding to the one given in the "hover" tip.

It looks like your clients didn't really update since Nov 9th - do all most show 09/11/2012 22:44:11? To make sure the CID is not stale check the modified date of the .upd files in the root of the CID (...SophosUpdate\CIDs\S000\SAVSCFXP\) and the newest .ide in the \savxp subfolder. If these are from today then the problem is likely with AutoUpdate on the client side - if not, it's probably the server.

Christian

Solved.

Turns out that the "admin share C$" had been removed on some clients during a 'lock-down' excersise.

Once the share was re-applied via adding the registry item:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Data Type: REG_DWORD
Value: 1

and adding back the admin share via: fsmgmt.msc, on all affected clients (Win7 Pro 64-bit)

Sophos Control Center was able to push out 'Reprotect Computers' and all's well.

Nick

Up-date

If you have 'lost' your admin share C$ restoring it via the MMC  will not 'stick' passed a re-boot.

the solution is here: The odd bit blogg

Basically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 1

Are know you guys are too smart - but just in case a warning don't let your users use "TuneUp Utilities".

Nick