Autoupdate failed and insufficient rights to do anything with Sophos

Dear Christian,

Thank you for the prompt reply. It seems that my problem is not that easily solved. I contacted my dept. IT admin again, he said "Last lookup from your machine to the Sophos antivirus manager was 30/5-2012". That's the date I left Denmark. I use VPN, and I have tried it after your reply as well. But it doesn't work regarding the auto-updates. It is simptomatic that the cross next to the Sophos icon on the task bar appeared yesterday- there was no notification previously.

It seems to me that even if I am able to get my user profile into the group SophosAdministrator (I can live without it anyway), it properly will not fix the auto-update issue.

What do you suggest?

Hello kiril982,

last lookup [...] the date I left Denmark

this suggests (assuming he is talking about the management system, not the download) that the server is not reachable over VPN - this is either due to the network configuration at your site or in conjunction with yesterday's detection or perhaps both. But this is more guesswork than serious analysis given the lack of details. 

I assume that SOFUS is also the management server. If you open Start->(All) Programs->Sophos->Sophos ES&C->View Sophos Network Communications Report the known server addresses should be under Parent-addresses (usually in the form IPv4,[IPv6,]FQDN,NetBIOS). If you open a cmd window (when VPN is active) and type ping FQDN - does it resolve the address (i.e. it should say Pinging FQDN [IP] with ...) ? If not then it can't resolve the name. As you said you only noticed recently that AutoUpdate doesn't work it could be that something has changed recently. The AutoUpdate logs probably doesn't go back that far but looking at the files in C:\Program Files\Sophos\Sophos Anti-Virus will tell you the approximate time of the last update - sort by date to determine the timestamp of the "youngest" files. If it's May then AutoUpdate didn't work since you left Denmark. Whatever you find determines the next steps.

This is just to make sure that the issue isn't related to the detection on USB (BTW - is this your device, did you use it on another computer, or did you get it from somewhere? Also, what has been detected - the Quarantine Manager should tell you the threat's name).

Christian

Hi Christian,

When I "View Sophos Network Communications Report", these two issues are noted:

State of name resolution (DNS)Problem description :Overview :Possible cause :Action to repair :More information can be found in the Sophos knowledgebase :

Then, the next problem is:

State of outgoing communications to serverProblem description :Overview :Possible cause :Action to repair :More information can be found in the Sophos knowledgebase :

The parent addresses are:

Parent addresses :

When I ping FQDN, it does not find the host FQDN.

Is this "the end"? Should I follow the "Enterprise Console: DNS error" procedure for IP address?

Regarding the usb, it's mine and was used on one Chinese pc, and when I used it in my pc, Sophos detected virus on the usb (can't see the log as I am not authorised- all my quarantine manager is frozen, even if I click view sophos website or security information, window pops out saying it can't find Google Chrome :(. But I remember it was *.exe file and Sophos reported many infected items inside it i.e. it reported only the exe file but in the "details" option were listed many names. I copied my usb content on my pc, formated the usb, scanned the copied folder (it was clean), and cut it back to my usb.

Thanks,

Kiril

Hello Kiril,

can you access other servers (or computers) at your site when connected via VPN? I just did nslookup with the FQDN and it resolves to a 130.xxx.xxx.xxx address (obviously the server has also a private address within your home network). If nslookup does not return an address when you are connected via VPN but gives you the external (130.xxx.xxx.xxx) when VPN is off then it's likely an issue within your home network.If you don't get an address with or without VPN then it's likely an issue with your PC.

Is Chrome your default browser (and does it work)?

As for the log: You'll find the current log (SAV.txt) in [%ProgramData%|%ALLUSERSPROFILE%\Application Data]\Sophos\Sophos Anti-Virus\logs. It will contain the details of the detected items. Did you ever have problems viewing the log or is it the first time you needed it and perhaps just didn't notice before? Just asking to rule out the USB stick as cause of your recent problems. If you are not sure that Sophos is working correctly (apart from the AutoUpdate problem) you could try the Virus Removal Tool.

As for updating: If you can't access/change the settings using the GUI you can't configure Sophos as update location (and you'd need your site's download credentials). Though you can download the latest detection items here (use the package corresponding to your data version, likely 4.78). 

As for the problems with the GUI: If you click View product information (bottom left) it will tell you (after several seconds) your Current user rights. It should say Sophos Administrator if your account is a member of this local group.

Christian 

Hi Christien,

When I nslookup FQDN with VPN it gives me:

Server: xtgc.sjziam.ac.cn

Address: 159.xxx.xxx.x

Non-authoritative answer:

Name: FQDN.djf.agrsci.dk

Address: 130.xxx.xxx.xxx

When I nslookup FQDN without VPN it gives me slighty different:

Server: ths.sjziam.ac.cn

Address: 159.xxx.xxx.x

Non-authoritative answer:

Name: FQDN.agrsci.dk

Address: 130.xxx.xxx.xxx

Which means that its not the home network, right? The pc works very nice. All software works properly, no isses with viruses or similar. Chrome works normally, its my default browser. All is fine it seems to me. I have no strange behaviour or viruses reported.

Regarding the SAV.txt file, it says (among many other stuff):

20120723 094735Virus/spyware 'W32/AutoRun-MO' has been detected in "E:\Recycled.exe\FILE:0000".(FILE:0000 goes up to 9). This is the one I wrote about.

(By the way, this: 

20120725 030444 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20120725 050400 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20120725 050402 Using detection data version 4.77G (detection engine 3.31.1). This version can detect 3575645 items. 

expected right?)

It is funny because when I open Windows Security Center, it reports that all is fine, Sophos is up to date and works good and all is on. It only says in "Spyware and unwated software protection" that my pc uses both Windows defender and Sophos, and both works properly.

Finally, I am Sophos user, not administrator.

Kiril

Hello Kiril,

right now I get inconsistent results doing the lookup - whatever the cause.

Anyway, when connected via VPN it should use a "private" nameserver, not one from the site which provides access to the network. As you get the external (130.xxx.xxx.xxx) address in both cases it's no surprise that you can't connect to the server. Is this "your" VPN (Det Jordbrugsvidenskabelige Fakultet) or is it used to get access to the Center for Agricultural Resources Research network?

W32/AutoRun-MO (see the link for the analysis) is well-known and that it has been found on the stick suggests the PC you plugged it in is infected. Seems like Sophos successfully detected it but you might want to check your machine for items similar to those mentioned in the analysis.

4.77G is definitely old (4.79 is current and 4.80 is due next week but given you can't reach the update location it's the expected version) - thus I'm surprised that WSC shows all green, but then I'm no expert when it comes to WSC.

Re user rights in the GUI: Adding your account (assuming you have administrative rights on the machine) to the SophosAdministrator group should give you Sophos Administrator rights the next time you open the GUI. But even if this doesn't work you should be able to view the Software details on this page. What does it say for Last updated (right above Components)? Note that the Last updated in the Status pane on the left shows the time of the last check whereas under Software you see the time when actually something was downloaded.

Christian

Hi Christian,

Here in China I am using the Center for Agricultural Resources Research network. If I want to assess the network in Denmark (Det Jordbrugsvidenskabelige Fakultet- my faculty), then I use the VPN given from my IT admin in Denmark.

Here is the report on the Software:

Sophos Anti-Virus 9.5.6
Release status Full
On-access status Enabled
Detection Engine 3.31.1
Detection data 4.77G
Virus data date 07-05-2912
Items detected 3575657 (??? these are infected items on my pc detected? not possible)
Detection identities 651
HIPS rules version 4.1.2
HIPS configuration version 1.0.4
Last update 25-07.2012 15:03:55 (an hour and a half ago, though on the icon with the cross it says "updated failed").

I am okay with the admin rights, when I come back to Denmark I can arrange that and until then I can manually delete infected files- if any, because i am VERY CAREFUL when it comes to other divises. I had to use my usb on Chinese pc to print something and then when I sticked it back on my pc- this happed, but it was detected by Sophos. I formated my usb- as explained previously. I will run a full scan on my pc today, as you propose.

What I wanted is to make sure my anti-virus is up to date because I might not be expert but I guess all know software should be updated regulary.

Kiril

Hello Kiril,

looks like (I might though misinterpret something) the VPN isn't working as I would expect. VPN should give you access to resources and services either unknown to and/or inaccessible from "the Internet". This will only work if your site's nameservers are queried first - that's what doesn't seem to be correct.

Items detected 3575657

These are the items it is able to detect (a rather meaningless number IMO - but yours is way too low, 3763627 is state of the art :smileywink:).

Detection identities 651

Last update 25-07.2012 15:03:55

Strange (or maybe not) - the number of Detection Identities (IDEs) is correct - so it does seem to update correctly. You should find a record of the apparently successful update in the updating log.

Christian

Hi Christen,

I use the VPN from my faculty i.e. I use a small device called RSA SecurID, to log in, and then browse the network and the drives on my university (exactly as I am connected in my office in Denmark, including printing). Also for the internet, but its kind of slow, so therefore I use a small application a friend gave me (a tunnel) to brows the internet as many are banned here, incluing all mega-popular web sites.

Okay then, unles you say otherwise, I leave the situation as it is. If it comes to something unexpected I will contact you.

Thank you for your time,

Kiril