It seems Sophos Endpoint Protection updates are getting blocked by the UTM's IPS engine. Here's what the logs show each time an update is attempted (and ultimately fails).
2015:07:24-12:41:41 astaro snort[4833]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt" group="340" srcip="208.111.171.148" dstip="172.20.2.183" proto="6" srcport="80" dstport="50650" sid="33977" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:24-12:42:13 astaro snort[4833]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt" group="340" srcip="208.111.178.228" dstip="172.20.2.183" proto="6" srcport="80" dstport="50653" sid="33977" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
The source IP addresses resolve to the d3.sophosupd.com domain that the update is attempted from (may be different for others as it's a CDN and may be globally load balanced).
Temporary workaround is to exempt Rule ID 33977. Is Sophos working on a permanent fix for this conflict between the two products?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
