Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 10601 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Comparison Failure"

Billerica_IT

Hi all,

I have a Physical DC and 2 Virtual DCs.  All three are protected by Sophos.  The client installed fine back in September, but every single day since then, I am getting the errors you see attached in the screenshot.

All 3 servers produce the same error.  I have scoured the KB here to no avail.  Help?  Thanks!

:45751


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    With regards to the comparion failure message, the following information should help you work out the problem.

    The client is trying to establish if it's in compliance with the policy assigned from SEC.  

    This calcualtion takes place on the endpoint and the status returned to SEC.

    The Sophos Agent service is responsible for this calculation.  

    For each managed component, E.g. SAV, AutoUpdate, SCF, etc.. they all have a plugin dll that is loaded by the Sophos Agent service.  These are refenced for the Sophos Agent in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters

    For example, SAV's adapter is referenced here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters\SAV and loads the DLL from SAV, e.g. "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdapter.dll".

    Using this plugin, the Sophos Agent, during comparison, is comparing the policy sent by SEC, which should exist on disk under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\".  Where there is a directory for each managed component.  E.g. for SAV: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV".

    The Agent is comparing this cached policy file with the current config of the component, in the case of SAV, this is a call from the Sophos Agent service into SAV directly to get the config.  This process is fully logged in the Sophos Agent service log files, as found under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs\"

    However, you need verbose logging on to see a per setting comparison.  To enable this, under:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent

    Create a new DWORD called LogLevel and set it to 2.  Then restart the Sophos Agent service.  

    After about 20 seconds, the act of restarting the Sophos Agent service a status message will be sent back to SEC.  Part of creating this status message is performing a comparison check.  The latest Agent log will therefore have all the info we need to work out why this is failing.

    Feel free to post it if needed.

    Regards,

    Jak

    :45955
Reply
  • 0

    Hi,

    With regards to the comparion failure message, the following information should help you work out the problem.

    The client is trying to establish if it's in compliance with the policy assigned from SEC.  

    This calcualtion takes place on the endpoint and the status returned to SEC.

    The Sophos Agent service is responsible for this calculation.  

    For each managed component, E.g. SAV, AutoUpdate, SCF, etc.. they all have a plugin dll that is loaded by the Sophos Agent service.  These are refenced for the Sophos Agent in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters

    For example, SAV's adapter is referenced here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters\SAV and loads the DLL from SAV, e.g. "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdapter.dll".

    Using this plugin, the Sophos Agent, during comparison, is comparing the policy sent by SEC, which should exist on disk under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\".  Where there is a directory for each managed component.  E.g. for SAV: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV".

    The Agent is comparing this cached policy file with the current config of the component, in the case of SAV, this is a call from the Sophos Agent service into SAV directly to get the config.  This process is fully logged in the Sophos Agent service log files, as found under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs\"

    However, you need verbose logging on to see a per setting comparison.  To enable this, under:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent

    Create a new DWORD called LogLevel and set it to 2.  Then restart the Sophos Agent service.  

    After about 20 seconds, the act of restarting the Sophos Agent service a status message will be sent back to SEC.  Part of creating this status message is performing a comparison check.  The latest Agent log will therefore have all the info we need to work out why this is failing.

    Feel free to post it if needed.

    Regards,

    Jak

    :45955
Children
No Data