[German]Brief information for administrators of a Sophos Intercept X endpoint solution. The vendor seems to be informing its customers about a serious problem. After a fresh installation of Sophos Intercept X Endpoint for Windows or an update, sus.sophosupd.com is no longer accessible, but reports an HTTP Error 403. In the meantime, Sophos has published a corresponding advisory (KB-000043980 dated May 6, 2022) about this problem. Here is some information about this issue.
Sophos Intercept X Endpoint
Sophos Intercept X Endpoint is a complete endpoint protection solution. According to the specifications, the product offers Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), an anti-ransomware feature and more. The product is expected to be used in corporate environments to secure endpoints.
Install/Update ends with HTTP Error 403
German blog reader Stefan V. just informed me via Facebook about an issues with Sophos Intercept X Endpoint (thanks for the hint) and wrote:
Hello, just received from Sophos via sms. Intercept X commits suicide
Nice paraphrase of the issue. Sophos has published an ADVISORY: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ (KB-000043980) with the following error description:
Issue
New Installation and/or Device updates fail with HTTP Error 403 from *ttps://sus.sophosupd.com/
This error is seen in C:\ProgramData\Sophos\AutoUpdate\SophosUpdate.log022-05-04T07:10:28.803Z [10656: 9772] I 403 from https://sus.sophosupd.com/v3/9745d246-c789-44c8-8d39-24555b7d9703/151c12e7-04d6-490b-ba82-a19425c990be with proxy: <direct; no proxy> 112022-05-04T07:10:28.804Z [10656: 9772] W Error refreshing service config: will sync using stale SUS config: No reachable update service locations 122022-05-04T07:10:28.810Z [10656: 9772] E No reachable update service locationsAnd C:\ProgramData\Sophos\CloudInstaller\CloudInstaller.log
2022-05-01T23:19:59.5312323Z INFO : 403 from https://sus.sophosupd.com/v3/d1cb1aee-737a-4892-a1f2-30812118b04a/cfb2de67-b963-459c-985e-a75bedf4ecb0 with proxy: <direct; no proxy> 112022-05-01T23:19:59.5312323Z ERROR : Error: No reachable update service locations 122022-05-01T23:19:59.5312323Z ERROR : DownloadCommand::onRun() failed with std::exception: SDDS3 sync failed
The bug affects Sophos Intercept X Endpoint for Windows, which occurs due to issues with the endpoint record in Sophos Central. Customers experiencing the issue during an installation can work around it by renaming the hostname of the device and retrying the installation. This will create a new endpoint record in Sophos Central.
Customers experiencing this error during updates can currently only fix the problem by reinstalling the product with a new hostname, Sophos wrote in its notice. It is only product updates that fail. Supplemental updates continue to work as intended, so protection is not currently affected.
