Server Protection - Hitman Pro Alert can't be installed

Hello,

I installed Sophos Intercept X for Server on some servers but on one server Hitman doesn't install/start. If i try "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\hmpalert.exe /install /mode=sophos" or ""C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\hmpalert.exe" /upgrade /quiet /noautoupdate" I got only the message "This programm is manged by Sophos".

I rebooted the machine and remove and install the software but no change.


Any help possible?

Thx!

Top Replies

  • Hello

    Did you open a case with support? The command that you mentioned is correct "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\hmpalert.exe /install /mode=sophos"   - the only…

  • When you run the Central installer, the install logs of the components should go to the temp directory of the installing user, e.g. %temp%.

    Do you see a log for the HMPA component?

  • Hello,

    Logfile:

    a 2021-11-16 11:11:16.084 [37740:36660] - Beginning install
    e 2021-11-16 11:11:16.118 [37740:36660] - Install failed with exception: Failed to open Registry key: HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, error 2

  • I added the key manually. But the log:

    a 2021-11-16 11:45:12.606 [15080:15076] - Beginning install
    a 2021-11-16 11:45:12.639 [15080:15076] - Executing step: Validate it is NextGen endpoint
    a 2021-11-16 11:45:12.639 [15080:15076] - Executing step: Validate the user is an admin
    a 2021-11-16 11:45:12.639 [15080:15076] - Executing step: Validate that driver verifier is NOT enabled for HMPA.
    a 2021-11-16 11:45:12.639 [15080:15076] - Executing step: Validate that HMPA is not pending reboot
    a 2021-11-16 11:45:12.640 [15080:15076] - Executing step: HMPA install mode installer
    a 2021-11-16 11:45:12.640 [15080:15076] - Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0)
    a 2021-11-16 11:45:12.640 [15080:15076] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0, Mode, 3)
    a 2021-11-16 11:45:12.641 [15080:15076] - Executing step: HMPA Hotfix Add/Remove Programs Uninstaller
    a 2021-11-16 11:45:12.641 [15080:15076] - Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0C81FABA-4224-4C89-AB4B-F463CE24C53E}, 64)
    a 2021-11-16 11:45:12.643 [15080:15076] - Executing step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\Logs) with Permission(owner=SYSTEM, SYSTEM=all, Administratoren=all, Benutzer=r)
    a 2021-11-16 11:45:12.648 [15080:15076] - Executing step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\MCS) with Permission(owner=SYSTEM, SYSTEM=all, Administratoren=all)
    a 2021-11-16 11:45:12.650 [15080:15076] - Executing step: HMPA Integrity installer
    a 2021-11-16 11:45:12.650 [15080:15076] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\integrity.dat, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2021-11-16 11:45:12.656 [15080:15076] - Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2021-11-16 11:45:12.656 [15080:15076] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2021-11-16 11:45:12.656 [15080:15076] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2021-11-16 11:45:12.657 [15080:15076] - Executing step: HMPA app upgrader composite
    a 2021-11-16 11:45:12.657 [15080:15076] - Executing step: Wow64RedirectionInstallStep(disable)
    a 2021-11-16 11:45:12.657 [15080:15076] - Executing step: ServiceControlInstallStep(hmpalertsvc, stop)
    w 2021-11-16 11:45:12.658 [15080:15076] - OpenService failed for hmpalertsvc, error 1060
    w 2021-11-16 11:45:12.658 [15080:15076] - Failed step: ServiceControlInstallStep(hmpalertsvc, stop), rolling back previous steps
    a 2021-11-16 11:45:12.658 [15080:15076] - Rolling back step: Wow64RedirectionInstallStep(disable)
    w 2021-11-16 11:45:12.658 [15080:15076] - Failed composite step
    w 2021-11-16 11:45:12.658 [15080:15076] - Failed step: HMPA app upgrader composite, rolling back previous steps
    a 2021-11-16 11:45:12.658 [15080:15076] - Rolling back step: HMPA Integrity installer
    a 2021-11-16 11:45:12.658 [15080:15076] - Rolling back step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2021-11-16 11:45:12.659 [15080:15076] - Rolling back step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2021-11-16 11:45:12.659 [15080:15076] - Rolling back step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2021-11-16 11:45:12.659 [15080:15076] - Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\integrity.dat, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2021-11-16 11:45:12.661 [15080:15076] - Rolling back step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\MCS) with Permission(owner=SYSTEM, SYSTEM=all, Administratoren=all)
    a 2021-11-16 11:45:12.662 [15080:15076] - Rolling back step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\Logs) with Permission(owner=SYSTEM, SYSTEM=all, Administratoren=all, Benutzer=r)
    a 2021-11-16 11:45:12.662 [15080:15076] - Rolling back step: HMPA Hotfix Add/Remove Programs Uninstaller
    a 2021-11-16 11:45:12.662 [15080:15076] - Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0C81FABA-4224-4C89-AB4B-F463CE24C53E}, 64)
    a 2021-11-16 11:45:12.662 [15080:15076] - Rolling back step: HMPA install mode installer
    a 2021-11-16 11:45:12.662 [15080:15076] - Rolling back step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0, Mode, 3)
    a 2021-11-16 11:45:12.663 [15080:15076] - Rolling back step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0)
    a 2021-11-16 11:45:12.663 [15080:15076] - Rolling back step: Validate that HMPA is not pending reboot
    a 2021-11-16 11:45:12.663 [15080:15076] - Rolling back step: Validate that driver verifier is NOT enabled for HMPA.
    a 2021-11-16 11:45:12.663 [15080:15076] - Rolling back step: Validate the user is an admin
    a 2021-11-16 11:45:12.663 [15080:15076] - Rolling back step: Validate it is NextGen endpoint
    w 2021-11-16 11:45:12.663 [15080:15076] - Failed composite step
    e 2021-11-16 11:45:12.663 [15080:15076] - Action failed
    

  • Hello

    Did you open a case with support? The command that you mentioned is correct "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\hmpa64\hmpalert.exe /install /mode=sophos"   - the only thing to remember is to turn off Tamper protection and to open CMD in elevated command prompt. 

    If that fails, we do recommend to start with full uninstall using our SophosZap removal tool and reinstall. (It will provide a clean environment for the install). Here are the steps for SophosZap tool

    -Disable Tamper Protection
    -Download SophosZap from the link below:
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling
    More details with screenshots are in the article below:
    -----------------------------------------
    Article ID: 134486
    Title: SophosZap: Frequently asked questions (FAQ)
    -----------------------------------------
    If upon reinstall the same issue happens, then please open a support case as they likely would need full SDU logs and potentially Procmon recording of re-running that command or an update cycle which would re-try installing Hitmanpro.
    Hope that helps!

     

  • Hello PavSupport,

    I didn't open a case with support.

    Your way works. I had to delete one file manually (found an error in the logfile) and re-run SophosZap.

    Now the complete Endpoint protection works.

    Thanks a lot and have a great day!

    Error:

    2021-11-17T08:00:53.528Z 7192 ERROR : Found unexpected Sophos driver file by version info: C:\\Windows\\system32\\DRIVERS\\hmpalert.sys_old

    Just for information the logfile:

    Sophos Windows Endpoint Zap log.txt

  • Happy to help and good call on checking Zap log!