Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 37 replies
  • Subscribers 1 subscriber
  • Views 51294 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 7 64bit and Sophos 9.7 Problem

Trevor

Hi,

Bit of a issue here which is baffling me.

Set up a new Subcription to 9.7 Recommended and created a new CID on AV server.

Setup a new Policy with the correct subscription which applies to a number of XP machines and 4 Windows 7 64bit machines.

The XP machines are all compliant with the new policy and have automatically upgraded from 9.5 to 9.7.

I've manually installed 9.7 to the Win 7 machines from the new CID (S002).

The issue I'm having is after 60 mins or so (automatic update schedule) the Win 7 workstations are checking for updates and then downgrading themselves back to version 9.5!

Both Win 7 and XP machines are sharing the same updating policy.

Any ideas?

:12561


This thread was automatically locked due to age.
  • 0

    Hello Trevor,

    setup.exe installs autoupdate which then upon the "first" update install SAVXP so it is normal that the AutoUpdate "update" is skipped at this point. As it has updated/installed from the S002 CID (you see this in the update log, don't you) and no change has been made to AU the location should be still S002. If it no longer is at this point (i.e. before the reboot) it must have been (re-)set somehow. Question is - how is "somehow".

    Turning on the Agent and Router trace would reveal if the policy comes from the console. The keys and values are

    HKLM\SOFTWARE\Wow6432Node \Sophos\Remote Management System\ManagementAgent "LogLevel"= dword:00000002

    HKLM\SOFTWARE\Wow6432Node \Sophos\Remote Management System\ Router "LogLevel"=dword:00000002

    guess they "survive" a reinstall.

    Christian

    :12773
  • 0

    Just one observation, sorry Christian, if you down the win7 firewall for a few moments, start the 'remote registry' service on the win 7 pc and then on the console, run 'protect' for the failing machine, what happens?

    Matt

    :12779
  • 0

    Hi MawfTech,

    Remote Registry is on and firewall is off on my machine anyway so its not that.

    I've set the Sophos Default updating policy to use 9.7 subscription.

    The Win 7 machines seem to stay on this policy and not take the policy that I've set on the group.

    So now Win 7 machines are updating from the Av server and are staying on 9.7 even though they are reporting compliance with an updating policy on a Windows file server in another building.

    Its a workaround but still doesnt solve the issue about why they aren't taking the same updating as the XP machines in the same group.

    I initailly thought it was to do with AD security policies. 

    I forgot that those Win 7 machines are locked down so only Domain admins can log on to them.

    The service account that autoupdate uses to fetch updates has been added to the local Administrator account on my Win 7 machine as well as the SophosAdministrator group.  Still not picking up the correct updating policy though

    :12781
  • 0

    Hi Trevor,

    Just so I'm clear here, on your SEC, the win 7 machines are reporting as compliant to the updating policy pointing at the 9.7 CID or not compliant?

    Matt

    :12785
  • 0

    Well, Trevor, I really suggest the agent trace. It gives at least some insight to what the client does in terms of policy and compliance. Don't worry, it's not that much data that is collected (and it helped me with a very strange issue where a client switched from 9.7 to 0.6 and v.v. - but in this case a leftover sauconf.xml was the culprit).

    Christian

    :12787
  • 0

    Hi Christian,

    Just to clarify:

    create Dword item called LogLevel with value of 2 here:

    HKLM\SOFTWARE\Wow6432Node \Sophos\Remote Management System\ManagementAgent HKLM\SOFTWARE\Wow6432Node \Sophos\Remote Management System\ Router

    and then run an "update now" and should i see larger logs in Program data?

    MawfTech,

    yes the Win 7 clients are using the default Sophos updating policy but still reporting that they are compliant with the Updating policy assigned to the group that they are a member of.  The XP machines in this group are fully compliant with the correct updating policy

    :12789
  • 0

    Hello Trevor,

    sorry, left immediately after my post.

    The keys become effective after a (re)start of the agent and router. The logs are in %ProgramData%Sophos\Remote Management System\3\[Agent|Router]\Logs.

    The interesting part is the updating policy. So it's best to either run the install from the S002 CID again, reboot the client and if it afterwards points to S000 collect the logs (using SDU) or (if the client is pointing to S000 at the moment but should point to S002) on the console edit and save (without changing anything) the applicable policy (this should change compliance to Awaiting transfer). If it does not comply then, collect the logs. If it does, force an update, see if it has still S002. If not, collect the logs. Otherwise reboot and collect the logs afterwards (assuming it now again points to S002). Don't worry, it takes longer to write this than to do it :smileyhappy:.

    In the meantime - do you have any groups using the Default policy?

    Christian

    :12801
  • 0

    Hi Christian,

    Ran a manual install from cid S002 from the file server in my curent building.  After a re-boot my W7 pc reverted to the default policy to take 9.7 from the av server instead.

    log 1:

    10.05.2011 10:18:29 0720 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20110510-091829.log
    10.05.2011 10:18:29 0720 I Sophos Messaging Router 3.3.0.2059 starting...
    10.05.2011 10:18:29 0720 I Setting ACE_FD_SETSIZE to 138
    10.05.2011 10:18:29 0720 I Initializing CORBA...
    10.05.2011 10:18:29 0720 I Setting connection cache limit to 10
    10.05.2011 10:18:29 0720 I Creating ORB runner with 4 threads
    10.05.2011 10:18:29 0720 I Getting parent router IOR from avserver.domainname:8192
    10.05.2011 10:18:29 0720 I This computer is part of the domain doamin
    10.05.2011 10:18:29 0720 I Getting a new router certificate...
    10.05.2011 10:18:30 0720 I Creating cryptographic key pair
    10.05.2011 10:18:32 0720 I Installing new router certificate...
    10.05.2011 10:18:33 0720 I This computer is part of the domain doamin
    10.05.2011 10:18:33 0720 E ACE_DLL::open failed for TAO_ImR_Client: Error: check log for details.
    10.05.2011 10:18:33 0720 E Unable to find service: ImR_Client_Adapter
    10.05.2011 10:18:33 0720 I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e3000000002000000000000009c000000010102000a00000031302e392e332e38370001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100a400004f415401000000140000000100a4000100010000000000090101000000000014000000080000000100a6008600022000000000a0000000010102000d0000003139322e3136382e35362e31000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100a400004f415401000000140000000100a4000100010000000000090101000000000014000000080000000100a60086000220
    10.05.2011 10:18:33 0720 I Successfully validated this router's IOR
    10.05.2011 10:18:33 0720 I Reading router table file
    10.05.2011 10:18:33 0720 I Host name: trev-PC-W7
    10.05.2011 10:18:33 0720 I Local IP addresses:
    10.05.2011 10:18:33 0720 I Resolved name: trev-PC-W7.domainname
    10.05.2011 10:18:33 0720 I Resolved alias/es:
    10.05.2011 10:18:33 0720 I Resolved IP addresses: 
    10.05.2011 10:18:33 0720 I Resolved reverse names/aliases: trev-PC-W7.domainname
    10.05.2011 10:18:33 13B0 I Routing to parent: id=01C9029D, origin=Router$trev-PC-W7:28357, dest=Router$trev-PC-W7:28357.Agent, type=EM-ClientLogoff
    10.05.2011 10:18:33 0720 I Waiting for messages...
    10.05.2011 10:18:33 0720 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 3, max number of user ports 15360
    10.05.2011 10:18:33 0DC0 I Getting parent router IOR from avserver.domainname:8192
    10.05.2011 10:18:33 0DC0 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000b00000031342e32302e35302e330000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100b100004f415401000000140000000100b1000100010000000000090101000000000014000000080000000100a60086000220
    10.05.2011 10:18:33 0DC0 I Successfully validated parent router's IOR
    10.05.2011 10:18:33 0DC0 I Accessing parent
    10.05.2011 10:18:33 0DC0 I Parent is Router$avserver
    10.05.2011 10:18:33 0DC0 I Registered with parent router
    10.05.2011 10:18:33 0DC0 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    10.05.2011 10:18:33 0DC0 I RouterTableEntry state (router, logging on): Router$avserver is passive consumer, passive supplier
    10.05.2011 10:18:33 0DC0 I Logged on to parent router as Router$trev-PC-W7:28380
    10.05.2011 10:18:33 0DC0 I This computer is part of the domain doamin
    10.05.2011 10:18:33 080C I Sent message (id=01C9029D) to Router$avserver
    10.05.2011 10:18:37 03D4 I Logged on Agent for certification
    10.05.2011 10:18:37 13B0 I Routing to parent: id=03C902ED, origin=Router$trev-PC-W7:28380.Agent, dest=CM, type=Certification.CertRequest
    10.05.2011 10:18:37 127C W Expanded Envelope, id=03C902ED, type=Certification.CertRequest, no Originator Cert
    10.05.2011 10:18:37 127C I Sent message (id=03C902ED) to Router$avserver
    10.05.2011 10:18:37 13B0 I Routing to Agent: id=01C902ED, origin=Router$avserver.CM, dest=Router$trev-PC-W7:28380.Agent, type=Certification.CertResponse
    10.05.2011 10:18:38 1028 I Logged off Agent
    10.05.2011 10:18:38 1004 I Registered client Agent
    10.05.2011 10:18:38 0D84 I Client::LogonPushPush() successfully called back to client
    10.05.2011 10:18:38 0D84 I Logged on Agent as a client
    10.05.2011 10:18:38 13B0 I Routing to parent: id=01C902EE, origin=Router$trev-PC-W7:28380.Agent, dest=EM, type=EM-EntityEvent
    10.05.2011 10:18:38 127C I Sent message (id=01C902EE) to Router$avserver
    10.05.2011 10:18:39 13B0 I Received message for this router
    10.05.2011 10:18:39 13B0 I EM-NotifyClientUpdates originator Router$trev-PC-W7:28380.Agent
    10.05.2011 10:18:39 13B0 I Received message for this router
    10.05.2011 10:18:39 13B0 I EM-GetClientStatus EMLib originator Router$trev-PC-W7:28380.Agent
    10.05.2011 10:18:39 13B0 I Routing to Agent: id=05C902EF, origin=Router$trev-PC-W7:28380, dest=Router$trev-PC-W7:28380.Agent, type=EM-NotifyClientUpdates-Reply
    10.05.2011 10:18:39 13B0 I Routing to Agent: id=07C902EF, origin=Router$trev-PC-W7:28380, dest=Router$trev-PC-W7:28380.Agent, type=EM-GetClientStatus-Reply
    10.05.2011 10:18:39 080C I Sent message (id=05C902EF) to Agent
    10.05.2011 10:18:39 080C I Sent message (id=07C902EF) to Agent
    10.05.2011 10:18:59 13B0 I Routing to parent: id=01C90303, origin=Router$trev-PC-W7:28380.Agent, dest=EM, type=EM-GetStatus-Reply
    10.05.2011 10:18:59 127C I Sent message (id=01C90303) to Router$avserver
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=01C90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 0180 I Sent message (id=01C90303) to Agent
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=03C90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=05C90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=07C90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=09C90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 13B0 I Routing to Agent: id=0BC90303, origin=Router$avserver.EM, dest=Router$trev-PC-W7:28380.Agent, type=EM-SetConfiguration
    10.05.2011 10:18:59 080C I Sent message (id=03C90303) to Agent
    10.05.2011 10:18:59 080C I Sent message (id=05C90303) to Agent
    10.05.2011 10:18:59 080C I Sent message (id=07C90303) to Agent
    10.05.2011 10:18:59 080C I Sent message (id=09C90303) to Agent
    10.05.2011 10:18:59 080C I Sent message (id=0BC90303) to Agent
    10.05.2011 10:19:28 13B0 I Routing to parent: id=01C90320, origin=Router$trev-PC-W7:28380.Agent, dest=EM, type=EM-GetStatus-Reply
    10.05.2011 10:19:28 127C I Sent message (id=01C90320) to Router$avserver
    10.05.2011 10:20:16 1018 I Windows is shutting down...
    10.05.2011 10:20:16 0720 I Shutting down...
    10.05.2011 10:20:16 0DC0 I Logged off from parent router
    10.05.2011 10:20:16 0720 I Writing router table file

    :12809
  • 0

    log 2:

    10.05.2011 10:21:06 06D4 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20110510-092106.log
    10.05.2011 10:21:06 06D4 I Sophos Messaging Router 3.3.0.2059 starting...
    10.05.2011 10:21:06 06D4 I Setting ACE_FD_SETSIZE to 138
    10.05.2011 10:21:06 06D4 I Initializing CORBA...
    10.05.2011 10:21:06 06D4 I Setting connection cache limit to 10
    10.05.2011 10:21:06 06D4 I Creating ORB runner with 4 threads
    10.05.2011 10:21:06 06D4 I This computer is part of the domain domain
    10.05.2011 10:21:06 06D4 E ACE_DLL::open failed for TAO_ImR_Client: Error: check log for details.
    10.05.2011 10:21:06 06D4 E Unable to find service: ImR_Client_Adapter
    10.05.2011 10:21:06 06D4 I This router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e3000000002000000000000009c000000010102000a00000031302e392e332e38370001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100cb00004f415401000000140000000100cb000100010000000000090101000000000014000000080000000100a6008600022000000000a0000000010102000d0000003139322e3136382e35362e31000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100cb00004f415401000000140000000100cb000100010000000000090101000000000014000000080000000100a60086000220
    10.05.2011 10:21:06 06D4 I Successfully validated this router's IOR
    10.05.2011 10:21:06 06D4 I Reading router table file
    10.05.2011 10:21:06 06D4 I Host name: trev-PC-W7
    10.05.2011 10:21:06 06D4 I Local IP addresses:
    10.05.2011 10:21:06 06D4 I Resolved name: trev-PC-W7.domainname
    10.05.2011 10:21:06 06D4 I Resolved alias/es:
    10.05.2011 10:21:06 06D4 I Resolved IP addresses:
    10.05.2011 10:21:06 06D4 I Resolved reverse names/aliases: trev-PC-W7.domainname
    10.05.2011 10:21:06 06D4 I Waiting for messages...
    10.05.2011 10:21:06 06D4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 3, max number of user ports 15360
    10.05.2011 10:21:06 08A4 I Getting parent router IOR from avserver.domainname:8192
    10.05.2011 10:21:06 08A4 I Received parent router's IOR:
    IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a0000000010102000b00000031342e32302e35302e330000012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100b100004f415401000000140000000100b1000100010000000000090101000000000014000000080000000100a60086000220
    10.05.2011 10:21:06 08A4 I Successfully validated parent router's IOR
    10.05.2011 10:21:06 08A4 I Accessing parent
    10.05.2011 10:21:06 08A4 I Parent is Router$avserver
    10.05.2011 10:21:06 08A4 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
    10.05.2011 10:21:06 08A4 I RouterTableEntry state (router, logging on): Router$avserver is passive consumer, passive supplier
    10.05.2011 10:21:06 08A4 I Logged on to parent router as Router$trev-PC-W7:28380
    10.05.2011 10:21:06 08A4 I This computer is part of the domain domain
    10.05.2011 10:21:07 0850 I Client::LogonPushPush() successfully called back to client
    10.05.2011 10:21:07 0850 I Logged on Agent as a client
    10.05.2011 10:21:07 0894 I Routing to Agent: id=03C90383, origin=Router$trev-PC-W7:28380, dest=Router$trev-PC-W7:28380.Agent, type=EM-ClientLogon
    10.05.2011 10:21:07 088C I Sent message (id=03C90383) to Agent
    10.05.2011 10:21:08 0894 I Received message for this router
    10.05.2011 10:21:08 0894 I EM-NotifyClientUpdates originator Router$trev-PC-W7:28380.Agent
    10.05.2011 10:21:08 0894 I Received message for this router
    10.05.2011 10:21:08 0894 I EM-GetClientStatus EMLib originator Router$trev-PC-W7:28380.Agent
    10.05.2011 10:21:08 0894 I Routing to Agent: id=05C90384, origin=Router$trev-PC-W7:28380, dest=Router$trev-PC-W7:28380.Agent, type=EM-NotifyClientUpdates-Reply
    10.05.2011 10:21:08 0894 I Routing to Agent: id=07C90384, origin=Router$trev-PC-W7:28380, dest=Router$trev-PC-W7:28380.Agent, type=EM-GetClientStatus-Reply
    10.05.2011 10:21:08 0888 I Sent message (id=05C90384) to Agent
    10.05.2011 10:21:08 0888 I Sent message (id=07C90384) to Agent
    10.05.2011 10:21:28 0894 I Routing to parent: id=01C90398, origin=Router$trev-PC-W7:28380.Agent, dest=EM, type=EM-GetStatus-Reply
    10.05.2011 10:21:28 088C I Sent message (id=01C90398) to Router$avserver
    10.05.2011 10:26:09 0894 I Routing to parent: id=01C904B1, origin=Router$trev-PC-W7:28380.Agent, dest=EM, type=EM-EntityEvent
    10.05.2011 10:26:09 0890 I Sent message (id=01C904B1) to Router$avserver
    10.05.2011 11:21:06 06D4 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 4, max number of user ports 15360

    :12811
  • 0

    Hello Trevor,

    so avserver is your management server, right? The client receives the policies at 10:18:59 - if you take the agent log from this time you should see the contents of the policies applied. The policies in turn are taken from the group the client belongs to. Thus I assume if it doesn't receive the expected policy it is not in the expected group (for whatever reason).

    Christian   

    :12817