Unable to Install Sophos EDR, requestion full version

I am trying to install Sophos in some remote sites which is protected by Sophos XG. While it is working on some sites, I am unable to install on most of the sites.

I already added the following to allow FW rule but it seems it doesnt connect to Sophos Central on those sites.

 

I tried SophosInstall.exe with command and even with the message relay server. The Device register but most of the components don't install and always show red.

SophosSetup.exe --quiet --messagerelays=[IP address]:8190

The recommendation as always to install and use SophosSetup.exe which is not working and it is not what I want

I created a rule and added the following to the allowed list:

*.sophos.com
az416426.vo.msecnd.net
dc.services.visualstudio.com
*.cloudfront.net
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
*.globalsign.com
*.s3.amazonaws.com

 

 

But even with this, it doesnt work sometimes as per logs:

 

2020-02-09T13:23:26.2928848Z INFO : Stage 1 command-line options:
2020-02-09T13:23:26.2928848Z INFO : ---
2020-02-09T13:23:26.2928848Z INFO : Quiet mode on: 1
2020-02-09T13:23:26.2928848Z INFO : Automatic Proxy detection disabled: 0
2020-02-09T13:23:26.2928848Z INFO : No feedback mode on: 0
2020-02-09T13:23:26.2928848Z INFO : Dump feedback enabled: 0
2020-02-09T13:23:26.2928848Z INFO : Bypass competitor removal: 0
2020-02-09T13:23:26.2928848Z INFO : Using CRT catalog file path: --
2020-02-09T13:23:26.2928848Z INFO : Only register endpoint with Central: 0
2020-02-09T13:23:26.2928848Z INFO : Log messages between endpoint and Central: 0
2020-02-09T13:23:26.2928848Z INFO : Log command-line passed to executables: 0
2020-02-09T13:23:26.2928848Z INFO : Using custom server that hosts the installer stage2 filename : --
2020-02-09T13:23:26.2928848Z INFO : Using cloud group: --
2020-02-09T13:23:26.2928848Z INFO : Overriding computer name: --
2020-02-09T13:23:26.2928848Z INFO : Overriding computer description: --
2020-02-09T13:23:26.2928848Z INFO : Overriding domain name: --
2020-02-09T13:23:26.2928848Z INFO : Language will be set to: --
2020-02-09T13:23:26.2928848Z INFO : Using message relays: --
2020-02-09T13:23:26.2928848Z INFO : Proxy address: --
2020-02-09T13:23:26.2928848Z INFO : Proxy user name: --
2020-02-09T13:23:26.2928848Z INFO : Using custom customer token: --
2020-02-09T13:23:26.2928848Z INFO : Using specified products: --
2020-02-09T13:23:26.2928848Z INFO : Using certificates from the MCS app data folder.: 0
2020-02-09T13:23:26.2928848Z INFO : Using custom customer ID.: --
2020-02-09T13:23:26.2928848Z INFO : Using specified user ID.: --
2020-02-09T13:23:26.2928848Z INFO : Using local install source.: --
2020-02-09T13:23:26.2928848Z INFO : ---
2020-02-09T13:23:26.2928848Z INFO : Sending HTTP 'POST' request to: api/download/stage2-details/a95228bc-e837-4f9f-b916-8428a5478ce8
2020-02-09T13:23:26.2928848Z WARNING : WinHttpGetProxyForUrl returned: 12180
2020-02-09T13:23:26.2928848Z INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.
2020-02-09T13:23:26.2928848Z INFO : Set security protocol: 00000800
2020-02-09T13:23:26.2928848Z INFO : Opening connection to dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com
2020-02-09T13:23:26.2928848Z INFO : Request content size: 31
2020-02-09T13:23:33.2131135Z INFO : Sending request
2020-02-09T13:23:33.2131135Z INFO : Request sent
2020-02-09T13:23:35.0878104Z INFO : Sending request
2020-02-09T13:23:35.0878104Z INFO : Request sent
2020-02-09T13:23:35.0878104Z INFO : Response status code: 200
2020-02-09T13:23:35.0878104Z INFO : Response data size: 175
2020-02-09T13:23:35.0878104Z INFO : trySendRequestThroughPotentialProxy returning response with status code: 200
2020-02-09T13:23:35.0878104Z INFO : Parsing message received for Stage 2 filename: '{"mcs_server":"dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com","stage2_filename":"stage2-1.6.1112.0-7c172ee33a33004f58c51d634349303caf768675a278b74bb1e9d5acde4f3f87.tar.gz"}'
2020-02-09T13:23:35.0878104Z INFO : Sending HTTP 'GET' request to: full/central/windows/business/installer/stage2-1.6.1112.0-7c172ee33a33004f58c51d634349303caf768675a278b74bb1e9d5acde4f3f87.tar.gz
2020-02-09T13:23:35.0878104Z WARNING : WinHttpGetProxyForUrl returned: 12180
2020-02-09T13:23:35.1032407Z INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.
2020-02-09T13:23:35.1032407Z INFO : Set security protocol: 00000800
2020-02-09T13:23:35.1032407Z INFO : Opening connection to downloads.sophos.com
2020-02-09T13:23:35.1032407Z INFO : Request content size: 0
2020-02-09T13:23:48.8191632Z INFO : Sending request
2020-02-09T13:23:48.8191632Z INFO : Request sent
2020-02-09T13:25:08.5917154Z INFO : Response status code: 200
2020-02-09T13:25:08.5917154Z INFO : Response data size: 1745182
2020-02-09T13:25:08.5917154Z INFO : trySendRequestThroughPotentialProxy returning response with status code: 200
2020-02-09T13:25:08.5917154Z INFO : Extracting files:
2020-02-09T13:25:08.5917154Z INFO : integrity.dat
2020-02-09T13:25:08.5917154Z INFO : manifest.dat
2020-02-09T13:25:08.6071749Z INFO : rootca.crl
2020-02-09T13:25:08.6071749Z INFO : rootca.crt
2020-02-09T13:25:08.6071749Z INFO : scf.dat
2020-02-09T13:25:08.6071749Z INFO : sof.dat
2020-02-09T13:25:08.6071749Z INFO : SophosSetup_Stage2.exe
2020-02-09T13:25:08.6384154Z INFO : sul.dll
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca1.crl
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca1.crt
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca2.crl
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca2.crt
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca3.crl
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca3.crt
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca4.crl
2020-02-09T13:25:08.6540387Z INFO : Management Certs/sophosca4.crt
2020-02-09T13:25:08.7009033Z INFO : Running setup.
Started C:\Program Files (x86)\Sophos\CloudInstaller\SophosSetup_Stage2.exe
2020-02-09T13:25:08.8727058Z INFO : Stage 2 command-line options:
2020-02-09T13:25:08.8727058Z INFO : ---
2020-02-09T13:25:08.8727058Z INFO : Parent PID: 10560
2020-02-09T13:25:08.8727058Z INFO : Server: dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
2020-02-09T13:25:08.8727058Z INFO : Message relays: --
2020-02-09T13:25:08.8727058Z INFO : Suppressing feedback: 0
2020-02-09T13:25:08.8727058Z INFO : Dump feedback to disk: 0
2020-02-09T13:25:08.8727058Z INFO : Register only: 0
2020-02-09T13:25:08.8727058Z INFO : Trail logging: 0
2020-02-09T13:25:08.8727058Z INFO : Command-line logging: 0
2020-02-09T13:25:08.8727058Z INFO : Bypassing competitor removal: 0
2020-02-09T13:25:08.8727058Z INFO : CRT catalog: --
2020-02-09T13:25:08.8727058Z INFO : Language: --
2020-02-09T13:25:08.8727058Z INFO : Log files: C:\\ProgramData\\Sophos\\CloudInstaller\\Logs\\SophosCloudInstaller_20200209_132326.log
2020-02-09T13:25:08.8727058Z INFO : Group: --
2020-02-09T13:25:08.8727058Z INFO : Quiet: 1
2020-02-09T13:25:08.8727058Z INFO : Virtual appliance: 0
2020-02-09T13:25:08.8727058Z INFO : Proxy address: --
2020-02-09T13:25:08.8727058Z INFO : Proxy user: --
2020-02-09T13:25:08.8727058Z INFO : Overriding computer name: --
2020-02-09T13:25:08.8727058Z INFO : Overriding computer description: --
2020-02-09T13:25:08.8727058Z INFO : Overriding domain: --
2020-02-09T13:25:08.8727058Z INFO : Disable proxy detection: 0
2020-02-09T13:25:08.8727058Z INFO : Customer Token Specified: a95228bc-e837-4f9f-b916-8428a5478ce8
2020-02-09T13:25:08.8727058Z INFO : Products: all
2020-02-09T13:25:08.8727058Z INFO : Pipe write handle: 1848
2020-02-09T13:25:08.8727058Z INFO : MCS Certificates Folder: 0
2020-02-09T13:25:08.8727058Z INFO : MCS Customer Id: b4408ca6-f137-a4a5-c991-548e9f96e0d8
2020-02-09T13:25:08.8727058Z INFO : User Id: --
2020-02-09T13:25:08.8727058Z INFO : Local install source: --
2020-02-09T13:25:08.8727058Z INFO : Partner Id: --
2020-02-09T13:25:08.8727058Z INFO : Customer Estate Id: --
2020-02-09T13:25:08.8727058Z INFO : ---
2020-02-09T13:25:08.8727058Z ERROR : Stage 2 error: CoInitialize failed: 0x80070008
2020-02-09T13:25:08.8883269Z INFO : Cleaning up extracted files
2020-02-09T13:25:10.7316351Z ERROR : Exception: ReadFile failed: 109

  • Hi  

    I have moved this thread to the Sophos Central group from the Support Portal group. This usually generally indicates that there is Pending File Rename Operation flagged in the registry. The PendingFileRenameOperations registry value indicates that a user or program has tried to rename a file that is in use. The file names are stored in the value of this entry until the system is restarted and then they are renamed. 

    Please perform the following steps after taking a full backup of your Windows registry. Please note that if you face any difficulties in performing these steps, then please open a support ticket with us - support.sophos.com

    1.  Open the Windows Registry Editor: Please ensure you make a full backup before making any changes to the registry

    2.  Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.
     
    3.  Right-click the PendingFileRenameOperations value and select Delete from
    the context menu. When prompted, click Yes to confirm the delete operation.

    4. Close Registry Editor

    5. Restart your computer and attempt to run the installation again.

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Thanks for the advise.

    I managed to find the root cause but is it possible to provide standalone installation that will only require to register to central instead of the current standalone which doesnt have most of the recent component updates and require to download them online?

  • Hi  

    That's great! Can you please let us know how did you manage to resolve it? 

    At the moment that is not possible. You can try setting up an update cache so that your bandwidth is saved and the required files are downloaded from your local update cache server. For more info, please see: https://support.sophos.com/support/s/article/KB-000035498?language=en_US&c__displayLanguage=en_US

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Enabling the web cache on Sophos XG and installing from Relay server doesnt work for first-time installation. It seems some of the components are still required to be download directly from Sophos Central

  • Yes, the Central Install has to reach out to our Servers at least once. You can do that on one endpoint that copy the AutoUpdate folder and use that as a local install source for future installs. However, the AutoUpdate function will keep reaching out to get updates from us - so if the initial install is failing then there is concerns future updates will as well. 

    It is better to setup and Update Cache in the local network that 100% has the correct access out.

     

    From there, the other endpoints can update from it later.

  • It is not a perfect solution as it still fail sometimes. I created a firewall rule for the PC I want to install Sophos EDR on and passed all traffic without any control. Then I disabled the role once the installation is completed.

    I tried to copy the Install Cache from Program Data but it didn't work as it downloaded all items again. Sometime, I do reinstallation 3-4 times before it work and I can see it download all cache almost everytime. My problem is that everytime it download around 1GB which explains why it fail on the remote site which has VSAT