Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 17221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Update Manager Failing

Stelker

Greetings,

I work for a school system with approximately 6,000 endpoints. Our SEC and single SUM are running from the same server (I realize it is not recommended with our number of endpoints). At 10:06 am on 9/17/2012, SEC received several errors from the SUM service:

80040406: Delivery failed for software subscription 'xxxx'. Access to source update location is denied or the location is otherwise unavailable.

80040401: Software update failed.

80040404: Threat detection data update failed.

These errors continued to be produced over the next few days.

On 9/26/2012, these codes began to appear:

80040410: Data read from the update source for software subscription '9.7.7 VDL4.78G xxxxx' was invalid (e.g. corrupt or incomplete).

Today, I upgraded that subscription to VDL4.81G and followed the http://www.sophos.com/en-us/support/knowledgebase/66176.aspx article in an attempt to get SUM service running again.

I am still receiving these errors after following the instructions:

Code 80040401: Software update failed.

Code 80040406: Delivery failed for software subscription '10.0,8.0.7.0 Recommended'. Access to the source update location is denied or the location is otherwise unavailable.

Code 80040410: Data read from the update source for software subscription 'Recommended' was invalid (e.g. corrupt or incomplete).

Code 80040404: Threat detection data update failed.

Along with these issues per subscription:

10.0,8.0,7.0 Recommended\\OCRACOKE\SophosUpdate9/28/2012 8:45:22 AM00000002 Could not read from the update source location

9.7 Recommended\\OCRACOKE\SophosUpdate9/28/2012 8:48:17 AM00000002 Could not read from the update source location

9.7.7 Extended Maintenance\\OCRACOKE\SophosUpdate9/28/2012 8:49:01 AM00000002 Could not read from the update source location

9.7.7 VDL4.81G Static\\OCRACOKE\SophosUpdateNever 00000002 Could not read from the update source location

Recommended \\OCRACOKE\SophosUpdate9/28/2012 8:48:27 AM00000001 The update source location is invalid

LogViewer is presenting such errors as:

9/28/2012 3:33:07 PM Error Synchronize operation failed when synchronizing product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:07 PM Error Synchronize operation failed when synchronizing product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:07 PM Error Synchronize operation failed when synchronizing product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:07 PM Error Synchronize operation failed when synchronizing product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:04 PM Error Synchronize operation failed when synchronizing the protection data for product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:04 PM Error Synchronize operation failed when synchronizing the protection data for product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:04 PM Error Synchronize operation failed when synchronizing the protection data for product release 'Windows Endpoint Security and Control' because of a checksum error. Details: Checksum error: e5e317f9006e874679e449ba4b159b5e
9/28/2012 3:33:04 PM Error Synchronize operation failed when synchronizing the protection data for product release 'Windows Endpoint Security and Control'. Details: File copy failed.
9/28/2012 3:26:54 PM Information The log viewer dictionary was updated successfully.
9/28/2012 3:26:53 PM Information Update source status was checked successfully.
9/28/2012 3:24:12 PM Information The maintenance operation was successful.
9/28/2012 3:24:07 PM Information Sophos Update Manager has started up.

I don't think my problem stems from the Shh/Updater-B issue, as the Sophos Endpoint Protection client running on the SEC/SUM server didn't report the false positive and none of the endpoints in our county have either. Perhaps we dodged that issue due to this one?

I apologize if the formatting of this information is subpar. Does anyone have any insight to my situation? Any help would be greatly appreciated.

Thanks in advance,

Cameron

:33363


This thread was automatically locked due to age.
Parents
  • 0

    Brilliant assessment!

    Yes, we have a SonicWALL firewall doing content inspection. I "Wiresharked" an update attempt and filtered for external traffic, finding four relevant IP addresses. It turns out that we are getting alerts from two of these IPs when we make an update attempt:

    Gateway Anti-Virus Alert: Suspicious#polycrypt.1_2 (Worm) blocked

    Hoping it was a false positive, we allowed this traffic through only to get another alert from the same two IP addresses:

    Gateway Anti-Virus Alert: Suspicious#polycrypt.9 (Worm) blocked

    I realize IPS systems are quite capable of false positives, but allowing one possibly infected file was enough for me before I was ready to come back for more consultation.

    I have refrained from printing the offending IP addresses in case you don't want that information posted on the forum. I have access to the SonicWALL logs so please let me know if you want more detailed information. Have you seen this before? How should we procede?

    Thanks,

    Cameron

    :33733
Reply
  • 0

    Brilliant assessment!

    Yes, we have a SonicWALL firewall doing content inspection. I "Wiresharked" an update attempt and filtered for external traffic, finding four relevant IP addresses. It turns out that we are getting alerts from two of these IPs when we make an update attempt:

    Gateway Anti-Virus Alert: Suspicious#polycrypt.1_2 (Worm) blocked

    Hoping it was a false positive, we allowed this traffic through only to get another alert from the same two IP addresses:

    Gateway Anti-Virus Alert: Suspicious#polycrypt.9 (Worm) blocked

    I realize IPS systems are quite capable of false positives, but allowing one possibly infected file was enough for me before I was ready to come back for more consultation.

    I have refrained from printing the offending IP addresses in case you don't want that information posted on the forum. I have access to the SonicWALL logs so please let me know if you want more detailed information. Have you seen this before? How should we procede?

    Thanks,

    Cameron

    :33733
Children
No Data