Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 49773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

An update manager has not updated since 30th May

Gardinia

When looking at the Sophos Enterpise Console it states "an update manager has not updated since 30th May 2014", it also shows the majority of the computers are "out of date" when it comes to protection.

The endpoint computers themselves appear to be able to contact the server and get updates, however the server its self doesn’’’’t look to be updating at all.

I have looked in the Windows event viewer on the server, which is flooded with errors stating: The Sophos Agent service terminated unexpectedly.  It has done this 3849 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

This is appearing in the Windows Event Viewer on the server every minute, when i try and start the service manually it just fails.

I have attached some screenshots, can anyone advise?

Thank you.

:50658


This thread was automatically locked due to age.
  • 0
    Hello Gardinia,

    SUM does, if I'm correct, not communicate via the Agent. The Agent is part of the Endpoint product, which also maintains RMS (but not for much longer in this scenario). Thus a glitch in Endoint updating (I've seen a few with 10.3.7) might cripple the communication. Is this SUM also a message relay for the out-of-date clients?
    As for the Agent problem - reinstalling/reprotecting should resolve the issue (though I had one client where always "something" was missing on the first three attempts - each time a different subcomponent).

    Christian
    :50660
  • 0

    Thank you for your reply,

    I have re installed the Sophos Endpoint Protection on the server, however the event log is still been flooded with messages saying "The Sophos Agent service terminated unexpectedly.  It has done this 1232 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service."

    The service doesnt actually look to start at all when trying to do so manually.

    As for the update manager not getting updates i'm not totally sure what you were trying to say there (Still pretty new to Sophos!), basically our server runs the Sophos Enterprise Console, which deployed Sophos Endpoint Protection to all the client computers on the network.

    The client computers appear to update from the server fine, however i think its the server not getting updates as the update manager states it has not updated since the 30th of may.

    :50672
  • 0
    QC wrote:


    SUM does, if I'm correct, not communicate via the Agent.

    Just to chip in on one point: SUM has an adapter much the same as SAU, SAV, SCF and does use the Sophos Agent of the local RMS install.  Hence a working RMS (message router and agent) is essential to SUM reporting accurately.  Example:

    2014-06-05_10-33-15.png

    :50676
  • 0

    Hello Gardinia,

    as written in the short post yesterday, I had one endpoint where the Agent failed to start in a similar manner. As there was no immediately obvious cause I decided to reprotect it only to find the service wasn't there at all; retried, noticed that the whole RMS component was missing; next time AutoUpdate had problems. Eventually, on the fourth attempt, everything was as it should be. 

    Must admit that I mistook the words of the message you've quoted (an update manager) for the description of the problem :smileyvery-happy:, sorry.

    In the Endpoints view go to tab Computer Details and check the Last message time. Is there any value later than May 30th? Also it looks like your management server (which seems to be called Server) isn't connected (to itself). This suggests an issue with the Message Router. Is the service (Sophos Message Router) running? Whether or not, have a look at the most recent log (in \ProgramData\Sophos\Remote Management System\3\Router\Logs). [Edit] Just saw ruckus' correction (thanks, ruckus) - the failing agent is probably the culprit. The Routers is only suspicious if there's no recent Last message time. [/Edit]

    To verify that SUM is working and the clients indeed up-to-date check the Sophos version and number of IDEs with the local Sophos GUI (View product information on the left, then expand Anti-virus and HIPS+Software - right now it's 422 IDEs for 10.3.7, Detection Data 5.01).

    Christian

    :50678
  • 0

    For the Agent service not starting you could try something simple like re-registering the common DLLs required first off.  From a command prompt run:

    regsvr32 msxml3.dll
regsvr32 msxml4.dll

     ...then try the service again.

    :50682
  • 0

    On the endpoints the Sophos Antivirus Version is 10.3.7.527, the Detection Identities is 422 and the Detection Date is 5.01. So i bleive that is working as expected? see the client.png image i have atatched to this post.

    As for the Sophos Agent that is still failing to start with the error 1067 - the process terminated unexpectedly. (see the atatched sophos-agent.png)

    In regards to what ruckus mentioned the msxml3.dll registers fine, however the msxml4.dll does not appear to exist.

    :50700
  • 0
    Hello Gardinia,

    SUM and endpoint updating are apparently fine - no need to worry at the moment. But this intra-server communications failure needs to be resolved. Can't check now though - it's 8:30 P.M.

    Christian
    :50714
  • 0

    If i have any suggestions when you have time i would be greatful, Sophos support recomend just un installing, re installing and configuring it again, which i would sooner aviod if possible!

    :50740
  • 0

    Hello Gardinia,

    as for msxml4.dll - it's likely not on your system, instead try with msxml6.dll. Dunno if this will resolve the error though.

    Knowing what happened on May 30th might help. The RMS component hasn't been changed with the update from 10.3.1 to 10.3.7 so I'd rule it out (unless it happened on this date). Please check the latest (most recent) Agent log in C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs. - what is the last timestamp in it, perhaps post the last few lines.

    Otherwise I can only suggest to give reprotection another one or two tries as it should do no harm. BTW - is the Endpoint component on the server up-to-date (10.3.7, 430 IDEs)?

    Christian

    :50748
  • 0

    I have 4x log files, each with identical data in them

    06.06.2014 14:16:23 2408 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Agent/Logs/Agent-20140606-131623.log
    06.06.2014 14:16:23 2408 I Sophos Management Agent 3.4.1.3411 starting...
    06.06.2014 14:16:23 6FFC I SAUAdapter - SAU IPCBase::IPCBase: Initialising shared memory A32951C539924a12B3C8F2FDA5A268E4
    06.06.2014 14:16:23 96E4 I SAUAdapter - SAU IPCListener::Wait started
    06.06.2014 14:16:23 96E4 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages

    The end point protection is up to date on the server, the Enterprise console just appears to think everything is broken / is not pulling any updated data from anywhere.

    Re protecting doesnt appear to change anything either, seems very strange Sophos on the server will just randomly mess up to the point its broken so badly. Nothing at all has changed on the server, its installed updates and thats about it.

    :50758