Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 10601 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Comparison Failure"

Billerica_IT

Hi all,

I have a Physical DC and 2 Virtual DCs.  All three are protected by Sophos.  The client installed fine back in September, but every single day since then, I am getting the errors you see attached in the screenshot.

All 3 servers produce the same error.  I have scoured the KB here to no avail.  Help?  Thanks!

:45751


This thread was automatically locked due to age.
  • 0

    Hello Billerica_IT,

    the updates apparently never worked - the installed package is dated July!

    There's an issue with the AutoUpdate account - the error is 1788 (ERROR_TRUSTED_DOMAIN_FAILURE, The trust relationship between the primary domain and the trusted domain failed). Looks like it is searching for local account which shouldn't be the case on a DC. You did install when they were already promoted?

    Christian 

    :45833
  • 0

    Hi QC,

    Honestly, I cannot recall if the DCs were already joined or not, but I am sure that at least DC-03 was.  Should I uninstall from all 3 and just reinstall?

    :45939
  • 0

    Hello Billerica_IT,

    as it doesn't work anyway it'd be a good idea. Might be necessary to reboot them though.

    Thimking about it - dunno if running the AutoUpdate.msi (in AutoUpdate's cache) with Repair would work but guess it could do no harm.

    Christian

    :45941
  • 0

    Tell you what.  Lemme try that AutoUpdate.msi option and if that doesn't work, I will uninstall and reinstall on all servers.

    However, HOW do I do the voodoo you mention?  Step-by-step, please?  Where is the cache?  How do I add the Repair option?  Etc, etc, etc...  Thanks!

    :45947
  • 0
    Hello Billerica_IT,

    can't say if it would try to reset the account (and do it correctly on its own).
    It's not voodoo. The cache, if it exists, is \ProgramData\Sophos\AutoUpdate\cache\sau. You can't miss the .msi, Repair is available with the right-click menu.

    Christian
    :45951
  • 0

    Hi,

    With regards to the comparion failure message, the following information should help you work out the problem.

    The client is trying to establish if it's in compliance with the policy assigned from SEC.  

    This calcualtion takes place on the endpoint and the status returned to SEC.

    The Sophos Agent service is responsible for this calculation.  

    For each managed component, E.g. SAV, AutoUpdate, SCF, etc.. they all have a plugin dll that is loaded by the Sophos Agent service.  These are refenced for the Sophos Agent in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters

    For example, SAV's adapter is referenced here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters\SAV and loads the DLL from SAV, e.g. "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdapter.dll".

    Using this plugin, the Sophos Agent, during comparison, is comparing the policy sent by SEC, which should exist on disk under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\".  Where there is a directory for each managed component.  E.g. for SAV: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV".

    The Agent is comparing this cached policy file with the current config of the component, in the case of SAV, this is a call from the Sophos Agent service into SAV directly to get the config.  This process is fully logged in the Sophos Agent service log files, as found under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs\"

    However, you need verbose logging on to see a per setting comparison.  To enable this, under:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent

    Create a new DWORD called LogLevel and set it to 2.  Then restart the Sophos Agent service.  

    After about 20 seconds, the act of restarting the Sophos Agent service a status message will be sent back to SEC.  Part of creating this status message is performing a comparison check.  The latest Agent log will therefore have all the info we need to work out why this is failing.

    Feel free to post it if needed.

    Regards,

    Jak

    :45955