[Sophos Notification] Advisory - Sophos Central: Windows 10 Endpoints may fail to upgrade Sophos Endpoint Defense.

We now have this error as specified above.

The link "refer to this KBA" does not work, it just takes you to a general index where I cannot find any reference to this advisory.

Does anyone know where this KB132930 is or what the workaround was ?

Hello carina,

when you say this error as specified above do you refer to just the message Failed to install sed64: 80004005 or the other details (Win10, messages in the log - can't be the Central Core Agent version as this is now 2.8.6, aren't you still using SEC) as well?
Asking because there's a known issue with Win7/2008R2 endpoints that aren't fully patched. 

Christian

Extract from Sophos Endpoint Defence Setup log on client machine (Windows 10 1909)

24/08/2020 11:39:53, INFO : Operating system version is Win10 or greater and supports InstallELAMCertificate ...
24/08/2020 11:39:53, INFO : Updating ELAM driver...
24/08/2020 11:39:53, ERROR : Filesystem error code: 1
24/08/2020 11:39:53, ERROR : Error upgrading/downgrading Sophos Endpoint Defense: Failed to copy SophosEL.sys into System32 drivers
24/08/2020 11:39:53, INFO : C:\Program Files\Sophos\Endpoint Defense\Pending has already been removed.
24/08/2020 11:39:53, INFO : Registered SED to be tamper protected.
24/08/2020 11:39:53, ERROR : SetupPlugin install error: Failed to upgrade/downgrade Sophos Endpoint Defense.

Extract from Sophos Enterprise Console (5.5.2 on Windows Server 2016)

Hello carina,

haven't seen this on Win10. Is it only one machine or more, and is it attempting to update to SAV 10.8.9/SED 2.2.4 ?

Christian

Hello Christian,

Thanks for trying to help on this.

I'm actually seeing the error on 7 machines out of a total of 106 currently connected to the network, all Windows 10.

The current SAV version it should be updating to is 10.8.9.292 and SED is 2.2.4.517 (I think, if I've read the right info)

On the machine I was looking at yesterday I uninstalled Sophos in order to re-install it but the Endpoint Defense wouldn't uninstall.  It sat in the list of programs in Control Panel and although I clicked uninstall (more than once) it didn't uninstall, but gave no message either as to any reason why.

I'm puzzled as to why just these 7 machines. 

Although they are all machines that have been encrypted & off-site for home working during COVID restrictions (but are now back on-site) we have another 17 machines that were in this same position of being off-site and now back and they are OK, so I don't think that's the connection.

Hello carina,

as you are experimenting, you could run %ProgramFiles%\Sophos\Endpoint Defense\SEDuninstall.exe. from an admin command prompt. It seems to accept a /quiet switch and without this it might tell why it fails.

Christian 

Ok, so it looks like the problem is the uninstall process can't delete C:\Windows\System32\Devices\SophosEL.sys.  The error is 'Access denied'.

I tried the SophosZap tool and it deleted everything except this file.

I am logged in as local administrator (and have also tried domain administrator account) , running command prompts as administrator, so I should have all rights to everything in theory, but I cannot manually delete SophosEL.sys.

I have looked at the permissions and the effective permissions for the administrator users are Full Control on everything.  The owner of the file is local Administrators group which has full control.  I cannot change the owner or add any other account.

Hello carina,

indeed everything (not just files) gone - no Sophos service remaining?

Christian

All services have gone, all programs, including the Endpoint Defence that was listed in Control Panel.

Only thing left is that driver SophosEL.sys.

When I re-install Sophos from the Enterprise Console I get the same error again  "Failed to install Sophos Endpoint Defense: Error code 80004005"

All services have gone, all programs, including the Endpoint Defence that was listed in Control Panel.

Only thing left is that driver SophosEL.sys.

When I re-install Sophos from the Enterprise Console I get the same error again  "Failed to install Sophos Endpoint Defense: Error code 80004005"

Hello carina,

if you as admin can't delete the file it's not surprising that the install fails as it likely encounters the same access denied. Process Explorer can show if some process is accessing to the file - a  lock can cause an access denied regardless of your rights.
Normally the file can be deleted (if TP is off). I assume you have already tried a reboot. As said, I haven't seen this problem and I think you should open a case with Support.

Christian

I have now deleted the SophosEL.sys file by booting into Safe Mode.

However, that has made no difference.

I have done a complete clean uninstall, all services removed.  Removed the computer from the Sophos Enterprise Console and 're-discovered' it.

Re-installed Sophos from the SEC.  Still get the same Endpoint Defense error.  All other components of Sophos seem to have installed.  It is just this one component that generates the error.

Hello carina,

this doesn't seem to be a known problem and it's better that Support looks into it. Likely requires more than basic troubleshooting.

Christian

I have now opened a support ticket.  I will post the answer here for reference.

Thank you for trying to help.

Hi,

did you get some new informations from the support? I have the same Problem but no solution.

Thanks

Thomas

Hi Thomas,

We haven't yet solved the problem which is why I hadn't posted back yet, but this is where we are so far.

I sent Sophos Support some logs they requested and the answer they came back with was this

So, our problem was a conflict with the Checkpoint software.

After decrypting the drive and uninstalling the Checkpoint software I ran the fltmc command again and the 2 legacy drivers had disappeared.

Sophos immediately updated itself successfully.

I now have to check the other 6 computers exhibiting the issue but I think it is the same problem.