Anyone Having Trouble with Sophos Updates?

[Jeff Zylstra]

I don't know how long ago now, but I seem to be having the same issues again with Sophos.  I came in this morning to my server rebooting every 5-10 minutes.  About the interval when it goes out and looks for Sophos updates.   I stopped all of the Sophos services that have to do with updating or communication to the server:  Sophos Auto Update; Patch Endpoint Communicator; Patch Endpoint Coordinator; Patch Server Communicator and Sophos Update Manager.   

It's been since about 10:30 this morning, and it hasn't rebooted again, so one or more of these are causing an issue.  My next task is that I will start all of these one by one, waiting 15 minutes in between time, until I can make it crash again.  It crashes when no one is logged in or connected, so this is the only thing I can think of that would cause it.

I did find a "duh" moment and corrected it on the server.  The GPO that I use primarily to govern folder redirection and roaming was linked to "Authenticated Users" as the permission.  That of course, made it apply to every single user (including the fax server user and Administrator users).  It removed those and added the individual users.  I don't think that would make the server crash.  But now I'm having error messages where it says the roaming profiles are not synchronizing.  Anyone have any ideas why that might be?

[Jeff Zylstra]

OK.  I had this issue last year, and there was no real diagnosis or cure, other than uninstalling and reinstalling Sophos on the server.  Since that time, 15 other people have had the mysterious server reboots relating the AutoUpdater service, so I thoutht I would share the Email I got back from Sophos Support....


Downloaded BlueScreenView
Analysed the dump:

MRXSMB10.sys is involved on all the crashes



Found the following KB:
https://www.sophos.com/en-us/support/knowledgebase/122573.aspx

Configured according to KB with registry change
reboot the server

Additional info on the MRXSMB10.sys file version:


Microsoft KB's referring to a security update that changes the fil version: Security Update for Windows Server 2008 R2 x64 Edition (KB3000483) - https://www.microsoft.com/en-us/download/details.aspx?id=45547
https://support.microsoft.com/en-ca/kb/2473205
https://support.microsoft.com/en-ca/kb/3000483

Forced an update on the server.
SAV sucessfully upgraded to version 10.6.3 (latest)
Server didn't crashed.

[Charlie Charbonneau]

Interesting.  Thanks for posting.  Aren't you running Sophos through Unix?

Just had a peek at the version number on my station and I'm showing 10.6 only, which also shows current on Sophos.com.  curious how you got the .3

[Jeff Golas]

Ive had a couple lil glitching things over the past week or so but nothing major.

[Jeff Zylstra]

Interesting.  Thanks for posting.  Aren't you running Sophos through Unix?

Just had a peek at the version number on my station and I'm showing 10.6 only, which also shows current on Sophos.com.  curious how you got the .3

Nope.  Not running it on *nix boxes.  I've not kept current on the Linux updates, so I've decommissioned my Linux box for now.  I may update it and get it running again this summer.

I think that the issues that I have don't relate to updating definition files, but rather updating the AV program software itself.  The program update downloaded just fine, but when it came time to install and replace the existing anti-virus, it flipped out almost immediately.  After the support tech added this registry entry and rebooted the server, it then updated from 10.3 to 10.6 without any problems.   

The last time I called in, they kind of treated this as an anomaly and couldn't explain it.  I'm glad there's now a KB article out there with a fix, because this was a real pain to deal with.