Most likely Post WINDOWS Monthly Patch Installation, Sophos status is broken.
We started the Windows updates rollout this week and already have multiple devices with this issues now.
Ex- This device was all okay once the update was installed and rebooted Sophos events shows this error.
Anyone else with this problem?
Hi skyisbluescreen
Would you please suggest what is the exact error it is showing under the events?
Shweta
Hello there,
I have updated the Event log in the post. All the machines show the below error :
Everything was normal in these devices Sophos was working fine perfectly. However there was 1903 installed they rebooted and boom Sophos AV service goes missing and other ones too.
Hoping someone from the community can help me through.
------------------------------------------------------------------
I have tried Support:Here is what happens
SDU Logs shared for impacted PC's
Request us back to re install
We Do, and Still same problem.
We Report back, they connect and run a PS SCRIPT or BATCH to remove Sophos, Still issue persists after re install
Request to Re Install the OS
-------------------------------------
Have you tried removing the older version of Anti-virus present using the Sophos ZAP tool? Kindly PM me the case number that you have already registered, so that I can review a few logs.
When AutoUpdate updates, it always checks the OS of the computer to see if it's changed, you see this in
C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log:
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate is starting.2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO AutoUpdate version : 6.4.292.02020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate version : 6.4.292.02020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Build : 20200429173443-7acb03303197f5c0731d6b9c4afc467d5c7ff02e2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform ID: WIN_10_X64 2004 19041.2642020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform upgraded: 0
The values come from:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate
Platform and PlatformRelease string values.
In the case where the current OS and these differ, then AutoUpdate runs the setup plugins of each of the components.
So under \windows\temp you will see the install logs for each component. Can you attach the logs of the failed components to this post?
Regards,Jak
Hello Shweta,
Thank you for your response, Will write to you in more details once we have the results on ZAP Tool.
Looking at the Events and logs it looks like the Monthly patches have caused this problem.
P.S-Updated the POST title to make it more relevant.
Thanks Jak, Deeper investigations has indicated the Windows monthly security patches has caused this and not the Build 1909.
We are trying to get a list of devices broken and verify for the timing of events if they match.Also a list of KB's installed that would need to verified which one could possibly cause this problem.
P.S- I have edited the title of the POST as its Windows Update issue and not the build issue.
Once the system is patched with latest updates, let us know if you are still facing the issue with Sophos
The current patches (installed last week) will be there and we will not patch anytime soon in a months time.
Thank you for the update, let us know how it goes with Sophos ZAP tool.
We have this problem also for several Win10 machines. Solved by run update from Sophos Endpoint UI on "problematic" machines and by several restarts.
In "Sophos Central Console" are "device status" ok, but on some machines is the status Red - "you have to call IT .." (free translation from Czech language").
On fully updated machines and also on machines with some missing patches.
Hi Jiri Hadamek
Devices with red health status on central, does it show any specific service stopped or any other detections?
It haven´t service stopped. It simply haven´t service installed.
Now - after several restarts AND several "update NOW" from Sophos UI on PCs we have the following state:
In Sophos Control Central - OK
ALL Sophos services ARE running - OK
On workstation - Sophos show errors - see the attached pictures.
Could you please translate the error message shown in the Endpoint UI? Which service state is in the stopped state?
Translated freely into English " Some services aren´t started. Call IT" But ALL services ARE running. (After several restart and reinstall from LOCAL Sophos UI)
Can you please click on About > Open Endpoint Self Help Tool > Services and check which services are not running? Do you see any components which are not installed?
All services ARE running
and
ALL services ARE installed.
Yep, same here.
Console:
" Failed to install savxp: uninstalling an older product failed."
Log:
"WARN Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.7.1000."
Version agent: 10.8.6 VE3.78.5
Can you find (and attach) the install and uninstall logs of SAV in \windows\temp\ (if this is an AutoUpdate initiated install attempt) or under %temp% if you are performing an install with say the Sophos Central installer they would be under %temp%.
Hi jak,
Here is it what I found:
Sophos Anti-Virus Major Install Log
https://pastebin.com/fdBLBRf7
Sophos Anti-Virus Uninstall log
https://pastebin.com/N83VsS2J
SophosUpdate log when I initialization update from Console, maybe could help as well
https://pastebin.com/W1zLQf6r
Seeing error 1612 on SAV uninstall and install logs. The uninstall process is looking for the MSI which is missing in this path: C:\WINDOWS\Installer\60e64.msi.
You can try uninstalling Sophos using the SophosZap tool, and then reinstall Sophos.