Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 26600 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

0000006b - Sophos AutoUpdate failed from server \\server\\SophosUpdate\...

heath

Server is running SEC 5.2.2, clients are running 10.3 Endpoint Security and Control 10.3, and the error I'm getting is:

"Sophos AutoUpdate failed from server \\server\\SophosUpdate\CIDs\S000\SAVSCFXP\" (Code 0000006b)

My issue started when I noticed that the Update Manager itself hadn't updated for almost three weeks. I fixed this by finding an error using the LogViewer, Decode operation failed when decoding product release 'Windows Endpoint Security and Control' someone suggested backing up the CIDs and Warehouse folders and restarting the Sophos Update Manager service rectified this issue, and it did. However, clients were still not updating, even after a couple of days.

I then thought it might be the SophosUpdateMgr user not working so I followed a guide on resetting it properly using the ObfuscationUtil. This didn't appear to work, at least for UNC updating. I was quickly able to get clients updating using the secondary update server, using the username and password supplied by Sophos, but I'm still left with a list -- 600-long -- of computers displaying an error warning because they can't update from the SophosUpdate UNC share. I've checked permissions, even going a bit lax on the share's security, and it's still not playing ball.

Any help will be much appreciated!!

:55497


This thread was automatically locked due to age.
  • 0

    Hello heath,

    for endpoint updating errors (which are not immediately obvious from the alerts/messages in SEC) you should start with the AutoUpdate logs. I then thought often results in unnecessary work and added frustration. I understand that download from your server is failing completely (i.e. for all components). It should be rather easy to locate the more specific error message in the ALUpdate logs (to interpret it correctly could be a different story).  

    Christian

    :55498
  • 0

    Hi,

    I have attached an ALUpdate log from this morning.

    Looking at this I did spot Trace(2015-Jan-23 08:43:58): Product download skipped, Minimum Time Interval in place...
    Trace(2015-Jan-23 08:43:58): ALUpdate(LocationSkipped): Sophos which was a result of me changing the update interval from 240 minutes to 20 minutes yesterday, so I changed it back.

    I did skim through the rest of the log and noticed a few other things, but I'm having trouble really taking it apart and deciphering what it all means. My gut tells me it's the SophosUpdateMgr account causing the issues though.

    Trace(2015-Jan-23 08:43:03): Attempting to make a connection to remote machine \\SERVER\SophosUpdate\CIDs\S000\SAVSCFXP\
    Trace(2015-Jan-23 08:43:08): CIDUpdate(Info): \\SERVER\SophosUpdate, DOMAIN\SophosUpdateMgr, 86
    Trace(2015-Jan-23 08:43:08): Custom certificate already present.
    Trace(2015-Jan-23 08:43:08): CalculateChecksum. Processing file C:\ProgramData\Sophos\AutoUpdate\cache\escdp.dat
    Trace(2015-Jan-23 08:43:08): Remote connection over UNC.
    Trace(2015-Jan-23 08:43:13): File master.upd not found (Remote). Return code 0x80040f04
    Trace(2015-Jan-23 08:43:13): Unable to read file master.upd (Remote)
    Trace(2015-Jan-23 08:43:13): Unable to synchronise file root.upd.
    Trace(2015-Jan-23 08:43:13): Unable to synchronise file escdp.dat.

    Many thanks

    :55509
  • 0

    Hello heath,

    changing the update interval

    correct - the minimum interval when updating from Sophos is one hour.

    CIDUpdate(Info): \\SERVER\SophosUpdate, DOMAIN\SophosUpdateMgr, 86

    Error 86 is ERROR_INVALID_PASSWORD. Did you set the correct (new) password in the updating policies (and how did you to it)?

    Christian

    :55511
  • 0

    Thanks Christian. Error 86 did ring alarm bells in my head but my admittedly very brief Google search didn't flag it as pertaining to an invalid password.

    After resetting the password originally, the first thing I did was change it in the Default Updating Policy (screenshot attached to show this specifically). I OK'd twice and then complied my clients with their Group Updating Policy.

    My three domain controllers and the SEC server, however, do not have an error in the console like the rest of my clients, but they do also have Error 86 SophosUpdateMgr in the ALUpdate log.

    The new password works because I can log in with it. I guess I should try entering it on the policy again just to make sure?

    :55515
  • 0

    Hello heath,

    error 86 ... Google search

    I prefer to look them up where they have been devised without taking the Google detour :smileywink:

    All your groups/endpoints have the Default policy assigned? If not, then please note that the Default policy is just the one used if you create a new one - changes to it have no effect on already existing policies (this is true for all types of policies).

    The DCs and the server itself (i.e. their Computer Accounts) have sufficient rights to access the share without explicit credentials. 

    Christian. 

    :55516
  • 0

    Bookmarked the msdn link for future reference - thanks :smileytongue:

    I created a new Updating Policy, ensuring that my SophosUpdateMgr password was entered without error, and had all of my groups comply with it. Voila! Clients are now updating from the share :smileyvery-happy:

    I'm not sure how necessary creating an entirely new policy was, though, but I just wanted to rule out the Default policy as the culprit. For sure I could have tested this beforehand by re-entering the password in the Default policy, but it took just a couple of minutes to get a new policy set up.

    Thank you so much, Christian!

    :55518