Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1917 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint event didn't reported to console

Azwan

Hello 

As per subject above our customer recently found that few server encounter virus/suspicious behaviour and move to quarantine.

However the event was not reported back to console and this is affecting security issue since  server owner didn't notice the event  due to huge enviroment 2000+ server to monitor.

Currently we are waiting feedback from support and while waiting appreciate if someone have solution or experience to resolve this issue. Thanks

Sophos Enterprise Console (version: 5.0)

:26475


This thread was automatically locked due to age.
  • 0

    Hello Azwan,

    the event was not reported back to console

    first thing to check is whether it really wasn't reported - compare the Last message time (in the Computer Details tab) with the time of the detection on the server (you'll probably have to view last month's log - SAV_201206nn.txt in the ...\Sophos Anti-Virus\logs\ folder). If Last message time is recent view the Computer details and look under History.  

    Note that SEC only displays outstanding Alerts and Errors. If the threat has been dealt with you'll find it only under History. Dealt with means either cleaned up, deleted or moved - in the latter case it will show up in the Quarantine Manager but not as outstanding alert in SEC.

    Christian

    :26479
  • 0

    Hi Christian,

    Noted....last message time is recent and the event stil didn't report back to console. Thanks

    :26521
  • 0

    Hi,

    I would use sav.txt on the client to determine the time that the alert should have been sent on the client.  Maybe use the event log to confirm and ensure you have the time stamp correct.  

    Then check on the client the Sophos Agent logs (\programdata\sophos\remote management system\3\Agent\Logs\), then the Sophos Router logs (\programdata\sophos\remote management system\3\Router\Logs\).  You should see in the Rotuer log a message of type "EM-Entity-Event" being created.    Hopefully these logs haven't been rotated already.

    Then on the server Router logs, you should be able to find an entry at this time for that message from the client.  The next entry to check would be the msgn logs (\programdata\sophos\sophos endpoint management\log\  (maybe in a version directory, use the timestamps to check which file is being written to)) on the server to see if the message was received by the Sophos management service.  Finally, a SQL query on the Sophos database.

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.ComputerName like '%machinename%'

    If that fails you may want to try:

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.MessageSystemAddress like '%machinename%'

    To try and find the message.

    As mentioned before. you'll have to move quick, at least on the server logs as the Router and Agent logs wrap every 4 MB (4X1MB files) and on the server this doesn't span much time, especially if you're managing manyh clients.

    Hope you can trace the message.

    Regards,

    Jak

    :26523