Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 14 subscribers
  • Views 7231 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Network Threat Protection: Installation fails (solved)

émeric SOULENQ

hello,

we have issue on more than 90 PC when we push last 21h1 and 21h2 update

The network thread protection installation fail :

C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs

2022-02-15T15:06:30.217Z [11800: 4260] E DLL verification error: -2146869243: C:\Program Files\Sophos\Sophos Network Threat Protection\.\BPAIF.dll
2022-02-15T15:06:30.218Z [11800: 4260] E Failed to start service: File C:\Program Files\Sophos\Sophos Network Threat Protection\.\BPAIF.dll not signed by Sophos
2022-02-15T15:06:30.218Z [11800: 4260] E Could not start the service. File C:\Program Files\Sophos\Sophos Network Threat Protection\.\BPAIF.dll not signed by Sophos

theese KB doesn't work

https://support.sophos.com/support/s/article/KB-000036818 

https://support.sophos.com/support/s/article/KB-000038164

the sophos support say to me it's a Windows issue ... (a certificate issue)

but I have more and more pc with this issue,

I can't believe there is 90 pc with Windows issue ...

(pc Acer   TravelMate P215-53 )

thnaks



This thread was automatically locked due to age.
Parents
  • 0

    The error code you show ( -2146869243) is TRUST_E_TIME_STAMP - "The timestamp signature and/or certificate could not be verified or is malformed."

    I would suggest open the Event log and expand to

     Microsoft-Windows-CAPI2/Operational from under: Applications and Services logs and enable the opera CAPI2 operational log.

    Reproduce the error and see what this specific event log has to say for the APIs being called.

    Maybe you can export the evtx for this log and attach it?

  • 0 in reply to Sophos User930

    Here it is the CAPI2 event log :

    fromsmash.com/0NHGBIDsqo-ct

    Sophos already say to me to read theese event  log, but I didn't understand how to solve theese errors

    thanks

  • 0 in reply to émeric SOULENQ

    I assume the Powershell command was run following the reboot so still shows the issue?

    Did the Pending File Rename Operation (PFRO) actually work? 

    Did you end up with the file:

    "C:\windows\ServiceProfiles\LocalService\NTUSER.DAT.BROKEN"

    following the reboot and a new NTUSER.DAT?

    Can you check that is the correct location on your computer for the NTUSER.DAT for the local service user?

  • 0 in reply to Sophos User930

    I assume the Powershell command was run following the reboot so still shows the issue?

    yes

    yes

  • 0 in reply to émeric SOULENQ

    Well that's odd, the hive is being created again, you would assume with the correct permissions for the user, which suggests it's being "broken" shortly after being created.  You could try explicitly granting access to local service for the keys.  The following PowerShell would do that:

    $keys_to_fix = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft", 
			   "S-1-5-19\Software\Microsoft\SystemCertificates",
			   "S-1-5-19\Software\Microsoft\SystemCertificates\CA"

foreach($key_to_fix in $keys_to_fix)
{
    Write-host "Fixing:" $key_to_fix

    $key = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl = $key.GetAccessControl()

    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\LOCAL SERVICE","FullControl","Allow")
    
    $acl.SetAccessRule($rule)
    
    $key.SetAccessControl($acl)
}
     

    The idea behind deleting and letting it get re-created would be to ensure all the permissions are correct.

    I assume the above works?  Does that get reverted.

    As another test, I would be interested to setup the PFRO again to delete/rename the local service users ntuser.dat and then setup Process Monitor to capture a boot log.

    On reboot, collect the PML boot log, you should see where smss.exe renamed or deleted the ntuser.dat to prove that happened and then later on, do you see something setting permissions on the key(s)?

    Hope it helps.

  • 0 in reply to Sophos User930

    I have some issue with this script,

    probably with the var key_to_fix "S-1-5-19"

    I try the script itself and the script

    without foreach with only S-1-5-19" but it's the same

    xception lors de l'appel de «SetAccessRule» avec «1» argument(s): «Impossible de traduire certaines ou toutes les
    références d'identité.»
    Au caractère \modifRg.ps1:19 : 5
    +     $acl.SetAccessRule($rule)
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : IdentityNotMappedException

    Fixing: S-1-5-19\Software\Microsoft
    Exception lors de l'appel de «SetAccessRule» avec «1» argument(s): «Impossible de traduire certaines ou toutes les
    références d'identité.»
    Au caractère \Desktop\modifRg.ps1:19 : 5
    +     $acl.SetAccessRule($rule)
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : IdentityNotMappedException

    thanks

  • 0 in reply to émeric SOULENQ

    I guess being a French OS, it should be

    AUTORITE NT\LOCALSERVICE

    rather than:

    NT AUTHORITY\LOCALSERVICE

    Can you update the script and try again?

    Maybe check under Services.msc what localservice is on a French OS, I don't have one. Thanks.

  • 0 in reply to Sophos User930

    it was

    "NT AUTHORITY\LOCALSERVICE" and not "NT AUTHORITY\LOCAL SERVICE"

    now the script run with no error

      get-acl "HKU:\S-1-5-19\SOFTWARE\Microsoft\SystemCertificates\CA" | fl


    Path   : Microsoft.PowerShell.Core\Registry::HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\SystemCertificates\CA
    Owner  : BUILTIN\Administrateurs
    Group  : PCP3853\Aucun
    Access : AUTORITE NT\RESTRICTED Allow  ReadKey
             AUTORITE NT\Système Allow  FullControl
             AUTORITE NT\SERVICE LOCAL Allow  FullControl
             BUILTIN\Administrateurs Allow  FullControl
             PCP3853\Administrateur Allow  FullControl
             AUTORITÉ DE PACKAGE D’APPLICATION\Vos certificats de logiciel et de matériel ou carte à puce Allow  ReadKey
             AUTORITE NT\RESTRICTED Allow  ReadKey
             AUTORITE NT\Système Allow  FullControl
             BUILTIN\Administrateurs Allow  FullControl
             PCP3853\Administrateur Allow  FullControl
             AUTORITÉ DE PACKAGE D’APPLICATION\Vos certificats de logiciel et de matériel ou carte à puce Allow  ReadKey
    Audit  :
    Sddl   : O:BAG:S-1-5-21-1891537447-1770671421-2111988918-513D:AI(A;OICI;KR;;;RC)(A;OICI;KA;;;SY)(A;;KA;;;LS)(A;OICI;KA;
             ;;BA)(A;OICI;KA;;;LA)(A;OICI;KR;;;S-1-15-3-9)(A;OICIID;KR;;;RC)(A;OICIID;KA;;;SY)(A;OICIID;KA;;;BA)(A;OICIID;K
             A;;;LA)(A;OICIID;KR;;;S-1-15-3-9)

    I remove sophos again,

    but the bug still there :/

  • 0 in reply to émeric SOULENQ

    Can you filter Process Monitor to Access Denied again and let AutoUpdate have another try at installing NTP?

  • 0 in reply to Sophos User930

    Did a new Process Monitor show a permissions issue with the same key, a different key?  Is the problem solved?

  • 0 in reply to Sophos User930

    sorry my collegue format the PC,
    I need to find another pc to try again

    the problem is not solved at this time.

  • 0 in reply to émeric SOULENQ

    I want to say thanks you "Sophos User930" a lot !!!

    finaly it was a ACL issue on all registry since we apply OS update !

    # Modification des acls des clés de registre

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force -Confirm:$false

$keys_to_fix = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft", 
			   "S-1-5-19\Software\Microsoft\SystemCertificates"

foreach($key_to_fix in $keys_to_fix)
{
    Write-host "Fixing:" $key_to_fix

    $key = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl = $key.GetAccessControl()

    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\LOCALSERVICE","FullControl","ContainerInherit","None","Allow")
    
    $acl.SetAccessRule($rule)
    
    $key.SetAccessControl($acl)
}

$keys_to_fix2 = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft"			   
			   

foreach($key_to_fix2 in $keys_to_fix2)
{
    Write-host "Fixing:" $key_to_fix2

    $key2 = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix2,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl2 = $key2.GetAccessControl()

    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-15-2-1')

    $rule2 = New-Object System.Security.AccessControl.RegistryAccessRule ($systemSid,"ReadKey","Allow")
    
    $acl2.SetAccessRule($rule2)
    
    $key2.SetAccessControl($acl2)
}

$keys_to_fix3 = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft", 
			   "S-1-5-19\Software\Microsoft\SystemCertificates"

foreach($key_to_fix3 in $keys_to_fix3)
{
    Write-host "Fixing:" $key_to_fix3

    $key3 = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix3,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl3 = $key3.GetAccessControl()

    $person = [System.Security.Principal.NTAccount]"restricted"
    $access = [System.Security.AccessControl.RegistryRights]"ReadKey"
    $servicelocal3 = New-Object System.Security.AccessControl.RegistryAccessRule ($person,$access,"ContainerInherit","None","Allow")
    
    $acl3.SetAccessRule($servicelocal3)
    
    $key3.SetAccessControl($acl3)
}
#
#New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$key_to_fix =  "S-1-5-19\Software\Microsoft\SystemCertificates\CA"


    Write-host "Fixing:" $key_to_fix

    $key = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl = $key.GetAccessControl()

    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\LOCALSERVICE","FullControl","Allow")
    
    $acl.SetAccessRule($rule)
    
    $key.SetAccessControl($acl)
    
    $acl = Get-Acl "HKU:\S-1-5-19\SOFTWARE\Microsoft\SystemCertificates\CA"
    
    $servicelocal = New-Object System.Security.Principal.NTAccount 'NT AUTHORITY\LOCALSERVICE'
    $acl.SetGroup( $servicelocal)
    $acl | Set-Acl

    here it is our script to solve the issue

    and we need to reinstall Sophos to solve the issue.

Reply
  • 0 in reply to émeric SOULENQ

    I want to say thanks you "Sophos User930" a lot !!!

    finaly it was a ACL issue on all registry since we apply OS update !

    # Modification des acls des clés de registre

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force -Confirm:$false

$keys_to_fix = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft", 
			   "S-1-5-19\Software\Microsoft\SystemCertificates"

foreach($key_to_fix in $keys_to_fix)
{
    Write-host "Fixing:" $key_to_fix

    $key = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl = $key.GetAccessControl()

    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\LOCALSERVICE","FullControl","ContainerInherit","None","Allow")
    
    $acl.SetAccessRule($rule)
    
    $key.SetAccessControl($acl)
}

$keys_to_fix2 = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft"			   
			   

foreach($key_to_fix2 in $keys_to_fix2)
{
    Write-host "Fixing:" $key_to_fix2

    $key2 = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix2,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl2 = $key2.GetAccessControl()

    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-15-2-1')

    $rule2 = New-Object System.Security.AccessControl.RegistryAccessRule ($systemSid,"ReadKey","Allow")
    
    $acl2.SetAccessRule($rule2)
    
    $key2.SetAccessControl($acl2)
}

$keys_to_fix3 = "S-1-5-19", 
               "S-1-5-19\Software", 
			   "S-1-5-19\Software\Microsoft", 
			   "S-1-5-19\Software\Microsoft\SystemCertificates"

foreach($key_to_fix3 in $keys_to_fix3)
{
    Write-host "Fixing:" $key_to_fix3

    $key3 = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix3,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl3 = $key3.GetAccessControl()

    $person = [System.Security.Principal.NTAccount]"restricted"
    $access = [System.Security.AccessControl.RegistryRights]"ReadKey"
    $servicelocal3 = New-Object System.Security.AccessControl.RegistryAccessRule ($person,$access,"ContainerInherit","None","Allow")
    
    $acl3.SetAccessRule($servicelocal3)
    
    $key3.SetAccessControl($acl3)
}
#
#New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$key_to_fix =  "S-1-5-19\Software\Microsoft\SystemCertificates\CA"


    Write-host "Fixing:" $key_to_fix

    $key = [Microsoft.Win32.Registry]::Users.OpenSubKey($key_to_fix,
           [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
           [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    $acl = $key.GetAccessControl()

    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\LOCALSERVICE","FullControl","Allow")
    
    $acl.SetAccessRule($rule)
    
    $key.SetAccessControl($acl)
    
    $acl = Get-Acl "HKU:\S-1-5-19\SOFTWARE\Microsoft\SystemCertificates\CA"
    
    $servicelocal = New-Object System.Security.Principal.NTAccount 'NT AUTHORITY\LOCALSERVICE'
    $acl.SetGroup( $servicelocal)
    $acl | Set-Acl

    here it is our script to solve the issue

    and we need to reinstall Sophos to solve the issue.

Children
Unfiltered HTML