Wednesday, 12 August 2015

ZyXEL USG & Sophos EndPoint - FILE Invalid XML Version Action: Reject Both Severity: severe

I encountered frequent update failures with Sophos EndPoint recently which co-incided with the activation of Intrusion Detection and Prevention (IDP) service on my ZyXEL USG310 firewall.

Sophos EndPoint (version 10.3) displayed the following error on the PC (Windows 8.1):-

Updating failed Sophos Endpoint Security and Control has failed to download updates

Windows system tray Sophos Update Error notification
Sophos AutoUpdate log file displayed the following error:

 ERROR: Could not find a source for updated packages

Error found in Sophos AutoUpdate Log file

This particular PC had Sophos EndPoint configured to retrieve updates directly from the Sophos AutoUpdate servers on the web rather than from the local EndPoint update server. I immediately checked the EndPoint server is still picking up the updates to distribute to clients and it everything seemed normal so the issue appears to be on a client basis only.

I immediately checked the firewall logs as the activation of IDP on the ZyXEL USG310 was the last major change to the network.In the logs I found the following multiple errors that pointed to the destination address of the PC on the network and coincided with every update attempt ran in Sophos:-

Rule_id=1 SSI=N [type=Sig(1058608)] FILE Invalid XML Version Action: Reject Both Severity: severe

To resolve this issue, I looked to inactivate the particular IDP rule that appears to be blocking Sophos by going to the ZyXEL Configuration > UTM Profile > IDP menu and editing the active rule:-

I then hit Switch to Query View 

...and searched by Signature ID, referencing the ID (1058608) that was in the ZyXEL log entry

I then inactivated the entry in the query result, hit Save and OK and then reattempted an update in Sophos resulting in the usual updating status screen that completed successfully. 

The cause of this issue appears to be a conflict with the IDP rule in ZyXEL not liking one of the XML files required early in the Sophos EndPoint updates process - possibly an invalid file on the servers at Sophos? More details on the IDP error were provided on the ZyXEL box under Monitor > UTM Statistics > IDP on the link below:-