Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 16 subscribers
  • Views 3935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error: Sophos System Protection and Sophos Diagnostic Utility are missing in Sophos Endpoint Agent

Dung Nguyen Viet

Hi Everyone,

I have some problem with Sophos Endpoint Agent. I installed Sophos Endpoint Agent on Laptop client but Sophos System Protection and Sophos Diagnostic Utility are missing. That Laptop is running Windows 10. i try to uninstall it but it display: Uninstallation Failed. How can i fix that error. Please, help me!



This thread was automatically locked due to age.
Parents
  • 0

    Hi

    Could you please check under Sophos SDU install log(Location: %temp%) and check for the specific error? When you try to start the Sophos System protection service manually what is the message you are seeing? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Hi Shweta

    you see in attach file help me

    Fullscreen Sophos Endpoint Defense Setup 2.2.5 07-01-2021 08_29_16.log Download 
    Started C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe
07/01/2021 08:29:16, INFO : Driver is not already installed.
07/01/2021 08:29:16, INFO : Getting the SED Component version from C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\integrity.dat
07/01/2021 08:29:16, INFO : Starting Sophos Endpoint Defense clean installation (2.2.5.755)
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense value: ComponentVersion data: 2.2.5.755
07/01/2021 08:29:16, INFO : Unregistered old SSP Component from Sophos AutoUpdate.
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: DisplayName data: Sophos Endpoint Defense
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: Publisher data: Sophos Limited
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: InstallLocation data: C:\Program Files\Sophos\Endpoint Defense
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: UninstallString data: "C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe"
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: DisplayIcon data: C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: DisplayVersion data: 2.2.5.755
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: VersionMajor data: 2
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: VersionMinor data: 2
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: URLInfoAbout data: http://www.sophos.com
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: InstallDate data: 20210107
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: HelpLink data: http://www.sophos.com/support
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: Contact data: Sophos Technical Support
07/01/2021 08:29:16, INFO : Wrote HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense\ value: Comments data: Protects your Sophos Endpoint
07/01/2021 08:29:16, INFO : Registry configured successfully to register to Add Remove Programs.
07/01/2021 08:29:16, INFO : Copying C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\appfeed_part_0001.dat to C:\ProgramData\Sophos\Endpoint Defense\Data\AppFeed\\1609982956\appfeed_part_0001.dat
07/01/2021 08:29:16, INFO : Supplement files copied successfully.
07/01/2021 08:29:16, INFO : Copying C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\CoreCustomerAdapter.dll to C:\Program Files\Sophos\Endpoint Defense\CoreCustomerAdapter.dll
07/01/2021 08:29:16, ERROR : Failed to copy corecustomeradapter.dll to program directory with error code: 1
07/01/2021 08:29:16, ERROR : Error installing Sophos Endpoint Defense: Failed to copy files to program directory.
07/01/2021 08:29:16, INFO : Starting rollback of failed installation.
07/01/2021 08:29:16, INFO : Getting the SED Component version from C:\Program Files\Sophos\Endpoint Defense\integrity.dat
07/01/2021 08:29:16, INFO : Starting Sophos Endpoint Defense uninstallation (2.2.5.755)
07/01/2021 08:29:16, INFO : Operating system version is Win10 or greater and supports InstallELAMCertificate ...
07/01/2021 08:29:16, WARNING : Failed to query if the SEL driver can be unloaded or service stopped.
07/01/2021 08:29:16, WARNING : Failed to query if the driver can be unloaded or service stopped.
07/01/2021 08:29:16, INFO : Removed Sophos process keys under 'AppCompatFlags\Custom'
07/01/2021 08:29:16, INFO : Removed Sophos process keys under 'Image File Execution Options'
07/01/2021 08:29:16, INFO : Removed Sophos process keys under 'AppCompatFlags\Custom - WOW6432'
07/01/2021 08:29:16, INFO : Removed Sophos process keys under 'Image File Execution Options - WOW6432'
07/01/2021 08:29:16, INFO : Stopping Sophos System Protection Service ...
07/01/2021 08:29:16, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:17, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:18, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:19, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:20, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:21, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:22, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:23, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:24, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:25, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:26, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:27, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:28, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:29, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:30, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:31, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:32, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:33, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:34, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:35, WARNING : Could not open service - Sophos System Protection Service, error 1060.
07/01/2021 08:29:36, WARNING : Skipping stop service - Sophos System Protection Service is not installed.
07/01/2021 08:29:36, INFO : Stopping Sophos Endpoint Defense Service ...
07/01/2021 08:29:56, WARNING : Sophos System Protection Service has already been removed from the Service Control Manager.
07/01/2021 08:29:56, ERROR : Failed to uninstall: Failed to delete service.
07/01/2021 08:29:56, ERROR : Rollback failed: Failed to delete service.
07/01/2021 08:29:56, ERROR : SetupPlugin install error: Failed to copy files to program directory.
    Fullscreen Sophos SDU 6.5.238.0 install log 20210107 013022Z.txt Download 
    === Verbose logging started: 07/01/2021  08:30:23  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe ===
MSI (c) (04:24) [08:30:23:252]: Cloaking enabled.
MSI (c) (04:24) [08:30:23:252]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (04:24) [08:30:23:255]: End dialog not enabled
MSI (c) (04:24) [08:30:23:256]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sdu\Sophos Diagnostic Utility.msi
MSI (c) (04:24) [08:30:23:256]: Package we're running from ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sdu\Sophos Diagnostic Utility.msi
MSI (c) (04:24) [08:30:23:256]: Machine policy value 'DisableUserInstalls' is 0
MSI (c) (04:24) [08:30:23:274]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (04:24) [08:30:23:276]: APPCOMPAT: looking for appcompat database entry with ProductCode '{8078549C-CFF0-48C5-9B77-6BA48A14673D}'.
MSI (c) (04:24) [08:30:23:276]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (04:24) [08:30:23:335]: MSCOREE not loaded loading copy from system32
MSI (c) (04:24) [08:30:23:401]: APPCOMPAT: looking for appcompat database entry with ProductCode '{8078549C-CFF0-48C5-9B77-6BA48A14673D}'.
MSI (c) (04:24) [08:30:23:401]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (04:24) [08:30:23:401]: Transforms are not secure.
MSI (c) (04:24) [08:30:23:401]: Note: 1: 2205 2:  3: Control 
MSI (c) (04:24) [08:30:23:401]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Windows\TEMP\Sophos SDU 6.5.238.0 install log 20210107 013022Z.txt'.
MSI (c) (04:24) [08:30:23:401]: No Command Line.
MSI (c) (04:24) [08:30:23:401]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{394D39B9-2864-444F-BF8B-74C7A3E607E9}'.
MSI (c) (04:24) [08:30:23:401]: Product Code passed to Engine.Initialize:           '(none)'
MSI (c) (04:24) [08:30:23:401]: Product Code from property table before transforms: '{8078549C-CFF0-48C5-9B77-6BA48A14673D}'
MSI (c) (04:24) [08:30:23:401]: Product Code from property table after transforms:  '{8078549C-CFF0-48C5-9B77-6BA48A14673D}'
MSI (c) (04:24) [08:30:23:401]: Product not registered: beginning first-time install
MSI (c) (04:24) [08:30:23:401]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (04:24) [08:30:23:401]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2 
MSI (c) (04:24) [08:30:23:401]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (04:24) [08:30:23:402]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (04:24) [08:30:23:402]: Adding new sources is allowed.
MSI (c) (04:24) [08:30:23:402]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (04:24) [08:30:23:402]: Package name extracted from package path: 'Sophos Diagnostic Utility.msi'
MSI (c) (04:24) [08:30:23:402]: Package to be registered: 'Sophos Diagnostic Utility.msi'
MSI (c) (04:24) [08:30:23:402]: Note: 1: 2205 2:  3: Error 
MSI (c) (04:24) [08:30:23:406]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
MSI (c) (04:24) [08:30:23:406]: TRANSFORMS property is now: 
MSI (c) (04:24) [08:30:23:406]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (04:24) [08:30:23:407]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming
MSI (c) (04:24) [08:30:23:407]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Favorites
MSI (c) (04:24) [08:30:23:408]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (04:24) [08:30:23:408]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Documents
MSI (c) (04:24) [08:30:23:409]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (04:24) [08:30:23:409]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (04:24) [08:30:23:410]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (04:24) [08:30:23:410]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (04:24) [08:30:23:410]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (04:24) [08:30:23:411]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Local
MSI (c) (04:24) [08:30:23:411]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Pictures
MSI (c) (04:24) [08:30:23:411]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (04:24) [08:30:23:411]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (04:24) [08:30:23:412]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (04:24) [08:30:23:412]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (04:24) [08:30:23:412]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (04:24) [08:30:23:413]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (04:24) [08:30:23:413]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (04:24) [08:30:23:413]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (04:24) [08:30:23:414]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (04:24) [08:30:23:414]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Desktop
MSI (c) (04:24) [08:30:23:415]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (04:24) [08:30:23:415]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (04:24) [08:30:23:432]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 
MSI (c) (04:24) [08:30:23:442]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (04:24) [08:30:23:442]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (04:24) [08:30:23:442]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (04:24) [08:30:23:442]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (04:24) [08:30:23:443]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
MSI (c) (04:24) [08:30:23:443]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Phu ThaiCat'.
MSI (c) (04:24) [08:30:23:443]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
MSI (c) (04:24) [08:30:23:443]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sdu\Sophos Diagnostic Utility.msi'.
MSI (c) (04:24) [08:30:23:443]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sdu\Sophos Diagnostic Utility.msi'.
MSI (c) (04:24) [08:30:23:443]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (04:24) [08:30:23:443]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (c) (04:24) [08:30:23:443]: EEUI - Disabling MsiEmbeddedUI in quiet mode
=== Logging started: 07/01/2021  08:30:23 ===
MSI (c) (04:24) [08:30:23:443]: Machine policy value 'DisableRollback' is 0
MSI (c) (04:24) [08:30:23:443]: User policy value 'DisableRollback' is 0
MSI (c) (04:24) [08:30:23:443]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (c) (04:24) [08:30:23:443]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
MSI (c) (04:24) [08:30:23:443]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (c) (04:24) [08:30:23:470]: Creating MSIHANDLE (1) of type 790537 for thread 9508
MSI (c) (04:24) [08:30:23:470]: MsiOpenPackageEx is returning 0
MSI (c) (04:24) [08:30:23:470]: Closing MSIHANDLE (1) of type 790537 for thread 9508
=== Verbose logging stopped: 07/01/2021  08:30:23 ===

  • 0 in reply to Dung Nguyen Viet

    Hi there,

    Kindly Confirm first if there are some sophos services which are not running under "services.msc? Like below snapshot?



    If so? Please apply below steps on the affected machine.

    1. Disable Tamper Protection on the Endpoint
    2. Set the LaunchProtected flag for Sophos Endpoint Defense Service from 3 (SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT) to 0 (SERVICE_LAUNCH_PROTECTED_NONE)
      1. OpenRegistry Editor
      2. Navigate to 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service'
      3. Change the LaunchProtected REG_DWORD from 3 to 0
      4. Click OK to confirm the change
      5. Reboot the endpoint for the changes to take effect
    3. If Tamper Protection is enabled again, disable Tamper Protection
    4. Make sure to set the start-up type of the services to "automatic" 
    5. perform force update on the system 2 - 3 times.

    Let me know if this helps solves the issue. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • 0 in reply to Dung Nguyen Viet

    Hi there,

    Kindly Confirm first if there are some sophos services which are not running under "services.msc? Like below snapshot?



    If so? Please apply below steps on the affected machine.

    1. Disable Tamper Protection on the Endpoint
    2. Set the LaunchProtected flag for Sophos Endpoint Defense Service from 3 (SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT) to 0 (SERVICE_LAUNCH_PROTECTED_NONE)
      1. OpenRegistry Editor
      2. Navigate to 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service'
      3. Change the LaunchProtected REG_DWORD from 3 to 0
      4. Click OK to confirm the change
      5. Reboot the endpoint for the changes to take effect
    3. If Tamper Protection is enabled again, disable Tamper Protection
    4. Make sure to set the start-up type of the services to "automatic" 
    5. perform force update on the system 2 - 3 times.

    Let me know if this helps solves the issue. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
Unfiltered HTML