Weirdness with EC 5.0

Question

I've noticed with moving to EC5.0 (fresh build, fresh server) that once a new IDE update is sent out to my workstations, they all report back "Unknown" in Up to date, but the Detection data and IDE columns show the most current. After like 45min-1 hour up to date changes to "Yes"

This is annoying because i have my threshold for out of date alerts set to like 75% and it always triggers when a new IDE is available. I'm only using one update (Primary) and no secondary.

Thoughts?

This thread was automatically locked due to age.

jak · Accepted Answer

Hi,

That's interesting and sounds like it could be the cause for the "unknown" state, I suspect that the machines that show as unknown before being automatically corrected are the ones that update from the distribution points at the top of the distribution list in the SUM configuration (they are pushed sequentially) and therefore those locations offer up the latest software to the clients before SUM has finished on the later locations. If you order the machines by their primary CID location, that could prove the theory. Unless of course you have the updating policeis set with a long interval as this would randomise the interval more than if the clients all check for updates every 10 mins for example.

That all being said, it sounds like you have a few options:

1. Install an additional SUM, maybe at the SEC site which just maintains all the subscriptions but just creates one local distribution point, i.e.. the local SophosUpdate share. Then, make that new SUM the authoritative SUM using the registry key: http://www.sophos.com/support/knowledgebase/article/57638.html 
 Updates on that SUM will happen quickly and the status messages will be sent soon after. The only thing to consider with this approach is that this SUM would have to update from Sophos, if it updates from the other SUM, you start to add in latency on the update and therefore the status message. 
 2. Install another SUM at the SEC site, make that SUM push to all the remote shares. 
 Remove the distribution locations from the SEC SUM, that would still remain authoritative. The original SUM would complete quicker, and guarantee the status message arrived in the DB faster and before any clients had a chance to update from the CIDs.

3. Install SUMs at the remote sites, subscribe them to the same subscriptions and let them push local distribution points for the clients at each site to use. Not sure how your sites are configured, but each of these remote SUMs could point to Sophos as a secondary for resilience at least for updating. This way, if the site became cut off from the main site (I assume SEC is at the main site), but still had internet access, it could still fetch updates and provide updates to the clients. Plus I find that a pull is probably more reliable than a push, plus you can pull over HTTP as well if needed.

This would be my favored approach, the only downside being that it requires a Windows server at each site, which is fine if you have them, but if you currently push to a Linux box or filer this would not be an option. The other benefit of this approach if you have mutiple products slected in a subscription is that some of the files are common, SUM at the remote site would pull the files once and then distribute them locally. Virus data is shared and quite large so it adds up to quite a saving. 
 4. Another option would be to increase the update interval on the clients, so they don't find the update so quickly but this doesn't seem the right approach, as you'd be sacrificing protection for reporting.

5. Leave everything as it is, if it's just the dashboard/email alerts you want to correct there is a registry key the management service can read in to change the allowed latency. It's a DWORD called ‘‘‘‘UpToDateLatencyMins’’’’ in the registry entry: 
 [HKEY_LOCAL_MACHINE\SOFTWARE\[wow6432node]Sophos\EE\Management Tools]

If it doesn't exist, 60 minutes it the latency, so you could create that and make it 120 minutes and see how that changes the behaviour. It will offset the "Not since" times in SEC but if you know what that's fine. If you were to create this key, you would need to restart the management service. This should cause the dashboard to be more lenient.

I hope this offers some ideas.

One thing to be mindful of is installing a new SUM at a remote site to take over the maintenance of an existing SophosUpdate share created by the main SUM. This seems to cause problems, at least it used to. I would be tempted to take a backup of the SOPHOS50 database just incase and maybe remove the distribution point from the first SUM before re-creating it with the new SUM. Something to test.

Regards, 
 Jak :19987