When installing Sophos Intercept X for Servers with EDR on our Windows Server 2019 Domain Controller, I'm running into errors. I believe it is related to the fact that there cannot exist Local Users or Groups on a Domain Controller, so I've tried creating the required Sophos Groups manually and adding the necessary users to them, but no matter what I do, the installation fails (and yes I am completely uninstalling after each failed attempt and restarting the server). SophosCloudInstaller_20210426_190900.log
We really need to see the logs of Sophos Anti-Virus. There is a major install log and custom action log file and also a avremove.log.When you run the Central installer as a logged on user, the logs of the components go initially to %temp%.
Here we can see 1 of the 3 install attempts for SAV that failed. It is for this reasons all the services of that component are missing:2021-04-26T19:20:12.2091717Z INFO : setupDll='setup.dll'; setupExe='su-setup32.exe'.2021-04-26T19:20:12.255Z [10016: 9872] [v188.8.131.52] INFO Trying to load setup.dll of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.10.810.2021-04-26T19:20:12.303Z [10016: 9872] [v184.108.40.206] INFO Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\setup.dll.2021-04-26T19:20:12.303Z [10016: 9872] [v220.127.116.11] INFO Trying interface IProductSetup2 of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.10.810.2021-04-26T19:20:12.303Z [10016: 9872] [v18.104.22.168] WARN IProductSetup2 threw exception Could not create instance.2021-04-26T19:20:12.303Z [10016: 9872] [v22.214.171.124] INFO Creating CProductConfig interface.2021-04-26T19:20:12.304Z [10016: 9872] [v126.96.36.199] INFO Trying interface IProductSetup of product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.10.810.2021-04-26T19:20:12.304Z [10016: 9872] [v188.8.131.52] INFO Successfully established interface IProductSetup.2021-04-26T19:20:17.265Z [10016: 9872] [v184.108.40.206] INFO Reboot state: 02021-04-26T19:20:17.265Z [10016: 9872] [v220.127.116.11] WARN Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.10.810.So there will be a Sophos Anti-virus major install log and associated custom action log in %temp% of the installing user.
The Central installer will install all the components it can despite failures so we can see at the end it installed AutoUpdate:2021-04-26T19:20:30.619Z [ 9388: 2768] [v18.104.22.168] INFO Successfully installed product 1FE3E7DF-EFFA-408A-A1B0-89F15BA61F31 6.7.352.352.2021-04-26T19:20:30.6122328Z INFO : Installed Sophos AutoUpdate XG: 0 (reboot code: 0)
With AutoUpdate installed, it will keep trying to install SAV every hour, and would have tried 5 mins after the AutoUpdate service was installed.
As this install is running as System, the subsequent logs will go to \windows\temp\.
You will not need to run the Central Installer again as SAU will keep trying to install the failed component but we need to see the logs of Sophos Anti-Virus.