This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Sophos Notification] Advisory - Sophos Central: Windows 10 Endpoints may fail to upgrade Sophos Endpoint Defense.

Hi Community,

We have identified an issue in which under certain operating system upgrade conditions; Sophos Endpoint Defense will fail to upgrade due to the below error.

Sophos Endpoint Defense Setup Log
28/09/2018 12:10:55 PM, INFO : Installing ELAM driver...
28/09/2018 12:10:55 PM, INFO : Copying C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.sys to C:\WINDOWS\system32\drivers\SophosEL.sys
28/09/2018 12:10:55 PM, ERROR : Filesystem error code: 1
28/09/2018 12:10:55 PM, ERROR : Error upgrading/downgrading Sophos Endpoint Defense: Failed to copy SophosEL.sys into System32 drivers

Sophos Central Dashboard
Failed to install sed64: 80004005.

Applies to the following Sophos product(s) and version(s)
Central Windows Core Agent 2.1.2
Central Windows Core Agent 2.1.3

This is currently under investigation by development.
Please refer to this KBA for what to do, the advised workaround, and for the latest updates regarding this investigation.

Regards.



This thread was automatically locked due to age.
  • I have now deleted the SophosEL.sys file by booting into Safe Mode.

    However, that has made no difference.

    I have done a complete clean uninstall, all services removed.  Removed the computer from the Sophos Enterprise Console and 're-discovered' it.

    Re-installed Sophos from the SEC.  Still get the same Endpoint Defense error.  All other components of Sophos seem to have installed.  It is just this one component that generates the error.

  • Hello carina,

    this doesn't seem to be a known problem and it's better that Support looks into it. Likely requires more than basic troubleshooting.

    Christian

  • I have now opened a support ticket.  I will post the answer here for reference.

    Thank you for trying to help.

  • Hi,

     

    did you get some new informations from the support? I have the same Problem but no solution.

     

    Thanks

     

    Thomas

  • Hi Thomas,

    We haven't yet solved the problem which is why I hadn't posted back yet, but this is where we are so far.

    I sent Sophos Support some logs they requested and the answer they came back with was this

    "The list above is not limited to applications which continue to use "Legacy file system filter drivers". Due to the requirement to use more advanced and newer protection techniques it is possible that we conflict with these legacy filter drivers.
    support.sophos.com/.../KB-000033347
    Check their filters using fltmc in admin command prompt. "
     
    Not sure what the first part meant as there wasn't a 'list above'.  I ran the fltmc command and it produced a list of names most of which I didn't recognise.  Two of them had the word 'Legacy' next to the name. He told me to remove these legacy drivers but he couldn't explain to me what they were, how to find them, or how to delete them.
    We think we have now identified them as belonging to Checkpoint Encryption software, but in order to prove that is the issue we have to remove the Checkpoint software which involved decrypting a 1TB hard disk which took a long time.  I will resume the investigation next week and let you know if we solve it.
     
  • So, our problem was a conflict with the Checkpoint software.

    After decrypting the drive and uninstalling the Checkpoint software I ran the fltmc command again and the 2 legacy drivers had disappeared.

    Sophos immediately updated itself successfully.

    I now have to check the other 6 computers exhibiting the issue but I think it is the same problem.