This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some clients fail to update livequery64 when connected via Cisco Anyconnect (Error 1053)

Hello there,

we got three Laptops where the error message "Failed to install livequery64: general error" is displayed. The affected clients are connected via Cisco Anyconnect (VPN).

One client which reported the error on monday was directly connected to our network on tuesday and managed to do the update.

On one client the problem occurs for the fourth time. We tried to repair the Agent, uninstall it through Apps and Features and uninstall it with SophosZAP. After the reinstallation the update is installed successfully but after some days the error reoccurs.

The Livequery-Log shows the error message 1053 StartService failed. I checked the cacls "%ALLUSERSPROFILE%" /C permissions - these look normal:

C:\ProgramData NT-AUTORITÄT\SYSTEM:(OI)(CI)F
VORDEFINIERT\Administratoren:(OI)(CI)F
ERSTELLER-BESITZER:(OI)(CI)(IO)F
VORDEFINIERT\Benutzer:(OI)(CI)R
VORDEFINIERT\Benutzer:(CI)(Beschränkter Zugriff:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES

Has anyone had similar experiences in the past?

Best regards,

Patrick

This thread was automatically locked due to age.

Top Replies

Patrick_S over 2 years ago in reply to Sophos User930 +1 verified

Thank you for your reply. I have no clue what happened but the clients managed to install the update even through Cisco Anyconnect today. We have had this problem a few times in the past and after a few…

0 Sophos User930 over 2 years ago

Can you attach the logs for it, they should be under \windows\temp if SAU is attempting to install a component.
Cancel
Vote Up 0 Vote Down

Cancel
0 Patrick_S over 2 years ago

That's the Sophos LiveQuery Install Log:

2022-02-22T05:27:56.825Z [ 3628:15864] A Begin product setup
2022-02-22T05:27:56.828Z [ 3628:15864] A Begin install
2022-02-22T05:27:56.832Z [ 3628:15864] A Scheduled query pack (LATEST) version 1.9.2
2022-02-22T05:27:56.834Z [ 3628:15864] A Scheduled query pack (NEXT) version 1.9.2
2022-02-22T05:27:56.838Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\MTR_SCM, 64, Enable, 0)
2022-02-22T05:27:56.843Z [ 3628:15864] A Executing step: Stop service step without disabling tamper protection for service: Sophos Managed Threat Response
2022-02-22T05:27:56.845Z [ 3628:15864] I Service Sophos Managed Threat Response already stopped.
2022-02-22T05:27:56.845Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\LiveQuery, 64)
2022-02-22T05:27:56.847Z [ 3628:15864] A Executing step: Stop service step without disabling tamper protection for service: Sophos Live Query
2022-02-22T05:27:56.849Z [ 3628:15864] I PID of service: 5060
2022-02-22T05:27:56.849Z [ 3628:15864] I PID of service: 5060
2022-02-22T05:27:56.849Z [ 3628:15864] I Service process handle acquired
2022-02-22T05:27:56.849Z [ 3628:15864] I StopCommand key was set
2022-02-22T05:27:56.850Z [ 3628:15864] I Waiting 60000ms for service stop
2022-02-22T05:27:56.850Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:27:57.853Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:27:57.853Z [ 3628:15864] I Service has stopped.
2022-02-22T05:27:57.854Z [ 3628:15864] I StopCommand key was removed
2022-02-22T05:27:57.854Z [ 3628:15864] A Executing step: Killing any left over SophosOsquery and SophosOsqueryExtension processes from the livequery programfiles folder
2022-02-22T05:27:57.868Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\LiveQuery, 64, Enable, 0)
2022-02-22T05:27:57.873Z [ 3628:15864] A Executing step: Delete service step: Sophos Live Query
2022-02-22T05:27:57.874Z [ 3628:15864] I Querying configuration of service: Sophos Live Query
2022-02-22T05:27:57.876Z [ 3628:15864] I Waiting 60000ms for service deletion
2022-02-22T05:27:57.876Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:27:57.876Z [ 3628:15864] W Service still exists, waiting...
2022-02-22T05:27:58.898Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:27:58.898Z [ 3628:15864] A Successfully deleted service: Sophos Live Query
2022-02-22T05:27:58.900Z [ 3628:15864] A Executing step: Install service step: Sophos Live Query
2022-02-22T05:27:58.911Z [ 3628:15864] A Executing step: Tamper protection will be updated for the main component, if rollback is triggered.
2022-02-22T05:27:58.913Z [ 3628:15864] A Executing step: LiveQuery Trickbot Mitigation Keys Installer
2022-02-22T05:27:58.915Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosLiveQueryService.exe
2022-02-22T05:27:58.917Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryService.exe, 0)
2022-02-22T05:27:58.923Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryService.exe, 0)
2022-02-22T05:27:58.926Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryService.exe, 64)
2022-02-22T05:27:58.932Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryService.exe, 64)
2022-02-22T05:27:58.934Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosOsquery.exe
2022-02-22T05:27:58.936Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsquery.exe, 0)
2022-02-22T05:27:58.943Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsquery.exe, 0)
2022-02-22T05:27:58.948Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsquery.exe, 64)
2022-02-22T05:27:58.954Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsquery.exe, 64)
2022-02-22T05:27:58.956Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosOsqueryExtension.exe
2022-02-22T05:27:58.957Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsqueryExtension.exe, 0)
2022-02-22T05:27:58.964Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsqueryExtension.exe, 0)
2022-02-22T05:27:58.969Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsqueryExtension.exe, 64)
2022-02-22T05:27:58.979Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsqueryExtension.exe, 64)
2022-02-22T05:27:58.981Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosMTRExtension.exe
2022-02-22T05:27:58.983Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosMTRExtension.exe, 0)
2022-02-22T05:27:58.989Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosMTRExtension.exe, 0)
2022-02-22T05:27:59.001Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosMTRExtension.exe, 64)
2022-02-22T05:27:59.011Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosMTRExtension.exe, 64)
2022-02-22T05:27:59.019Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosLiveQueryUninstall.exe
2022-02-22T05:27:59.027Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryUninstall.exe, 0)
2022-02-22T05:27:59.044Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryUninstall.exe, 0)
2022-02-22T05:27:59.058Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryUninstall.exe, 64)
2022-02-22T05:27:59.067Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryUninstall.exe, 64)
2022-02-22T05:27:59.072Z [ 3628:15864] A Executing step: Trickbot protection key install steps for SophosLiveQueryTelemetry.exe
2022-02-22T05:27:59.074Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryTelemetry.exe, 0)
2022-02-22T05:27:59.080Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryTelemetry.exe, 0)
2022-02-22T05:27:59.084Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryTelemetry.exe, 64)
2022-02-22T05:27:59.092Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryTelemetry.exe, 64)
2022-02-22T05:27:59.094Z [ 3628:15864] A Executing step: Create directory C:\Program Files\Sophos\Live Query and all parent directories
2022-02-22T05:27:59.096Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\integrity.dat, C:\Program Files\Sophos\Live Query\integrity.dat)
2022-02-22T05:27:59.102Z [ 3628:15864] A Executing step: Tamper protection will be updated for the main component.
2022-02-22T05:27:59.109Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:27:59.109Z [ 3628:15864] I Tamper protection for the main component has been updated.
2022-02-22T05:27:59.109Z [ 3628:15864] A Executing step: LiveQuery ProgramData directory installer
2022-02-22T05:27:59.115Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query and all parent directories
2022-02-22T05:27:59.118Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.121Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Processes and all parent directories
2022-02-22T05:27:59.123Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.124Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries and all parent directories
2022-02-22T05:27:59.127Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.130Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Incoming and all parent directories
2022-02-22T05:27:59.132Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.133Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Results and all parent directories
2022-02-22T05:27:59.136Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.137Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest and all parent directories
2022-02-22T05:27:59.139Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.141Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Packs\Next and all parent directories
2022-02-22T05:27:59.144Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.148Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Temp and all parent directories
2022-02-22T05:27:59.153Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.154Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Logs and all parent directories
2022-02-22T05:27:59.156Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.159Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Data and all parent directories
2022-02-22T05:27:59.161Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.163Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Config and all parent directories
2022-02-22T05:27:59.165Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.167Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Config\sophos.osquery.conf.d and all parent directories
2022-02-22T05:27:59.169Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.171Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Metrics and all parent directories
2022-02-22T05:27:59.174Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.175Z [ 3628:15864] A Executing step: Create directory C:\ProgramData\Sophos\Certificates\Live Query and all parent directories
2022-02-22T05:27:59.177Z [ 3628:15864] I Existing security permissions before resetting permissions: D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FR;;;BU)
2022-02-22T05:27:59.179Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\livequery.flags, C:\ProgramData\Sophos\Live Query\Config\livequery.flags)
2022-02-22T05:27:59.183Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\sophos.osquery.conf, C:\ProgramData\Sophos\Live Query\Config\sophos.osquery.conf)
2022-02-22T05:27:59.187Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\extensions.load, C:\ProgramData\Sophos\Live Query\Config\extensions.load)
2022-02-22T05:27:59.191Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\tls_server_certs.pem, C:\ProgramData\Sophos\Certificates\Live Query\tls_server_certs.pem)
2022-02-22T05:27:59.197Z [ 3628:15864] A Executing step: LiveQuery Scheduled Query Pack (LATEST) Installer
2022-02-22T05:27:59.199Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf)
2022-02-22T05:27:59.204Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.mtr.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.mtr.conf)
2022-02-22T05:27:59.208Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.mtr-e.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.mtr-e.conf)
2022-02-22T05:27:59.214Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\version.txt, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\version.txt)
2022-02-22T05:27:59.218Z [ 3628:15864] A Executing step: LiveQuery Scheduled Query Pack (NEXT) Installer
2022-02-22T05:27:59.220Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.conf)
2022-02-22T05:27:59.226Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.mtr.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.mtr.conf)
2022-02-22T05:27:59.231Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.mtr-e.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.mtr-e.conf)
2022-02-22T05:27:59.236Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\version.txt, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\version.txt)
2022-02-22T05:27:59.240Z [ 3628:15864] A Executing step: Live Query Log key installer
2022-02-22T05:27:59.242Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosLiveQueryService.exe, 64)
2022-02-22T05:27:59.244Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosOsquery.exe, 64)
2022-02-22T05:27:59.246Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosOsqueryExtension.exe, 64)
2022-02-22T05:27:59.248Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosOsquery.exe, C:\Program Files\Sophos\Live Query\SophosOsquery.exe)
2022-02-22T05:27:59.278Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosOsqueryExtension.exe, C:\Program Files\Sophos\Live Query\SophosOsqueryExtension.exe)
2022-02-22T05:27:59.287Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosMTRExtension.exe, C:\Program Files\Sophos\Live Query\SophosMTRExtension.exe)
2022-02-22T05:27:59.299Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryService.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryService.exe)
2022-02-22T05:27:59.306Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\NOTICE.txt, C:\Program Files\Sophos\Live Query\NOTICE.txt)
2022-02-22T05:27:59.311Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryUninstall.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe)
2022-02-22T05:27:59.317Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query, 64)
2022-02-22T05:27:59.320Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\status, 64)
2022-02-22T05:27:59.322Z [ 3628:15864] A Executing step: Live Query add extension registry configuration
2022-02-22T05:27:59.324Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions, 64)
2022-02-22T05:27:59.326Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64)
2022-02-22T05:27:59.328Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, path, C:\Program Files\Sophos\Live Query\SophosOsqueryExtension.exe)
2022-02-22T05:27:59.330Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, extraArgs, --live_query)
2022-02-22T05:27:59.332Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, enableWatchdog, 1)
2022-02-22T05:27:59.334Z [ 3628:15864] A Executing step: Live Query add extension registry configuration
2022-02-22T05:27:59.336Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions, 64)
2022-02-22T05:27:59.338Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64)
2022-02-22T05:27:59.341Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, path, C:\Program Files\Sophos\Live Query\SophosMTRExtension.exe)
2022-02-22T05:27:59.390Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, extraArgs, )
2022-02-22T05:27:59.392Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, enableWatchdog, 1)
2022-02-22T05:27:59.394Z [ 3628:15864] A Executing step: Live Query add remove program key installer
2022-02-22T05:27:59.396Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64)
2022-02-22T05:27:59.399Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, DisplayName, Sophos Live Query)
2022-02-22T05:27:59.401Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, DisplayVersion, 3.4.0.317)
2022-02-22T05:27:59.403Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, Publisher, Sophos Limited)
2022-02-22T05:27:59.405Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, SystemComponent, 1)
2022-02-22T05:27:59.412Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, UninstallString, "C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe")
2022-02-22T05:27:59.413Z [ 3628:15864] A Executing step: LiveQuery adapter installer
2022-02-22T05:27:59.415Z [ 3628:15864] A Executing step: DeleteRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32)
2022-02-22T05:27:59.421Z [ 3628:15864] A Executing step: WaitForLockedFile(C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll, 60, WaitOnInstallToUnlock)
2022-02-22T05:27:59.426Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:27:59.428Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\LiveQueryAdapter.dll, C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll)
2022-02-22T05:27:59.434Z [ 3628:15864] A Executing step: WaitForLockedFile(C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll, 60, WaitOnRollbackToUnlock)
2022-02-22T05:27:59.436Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32)
2022-02-22T05:27:59.438Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32, DllPath, C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll)
2022-02-22T05:27:59.441Z [ 3628:15864] A Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryTelemetry.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryTelemetry.exe)
2022-02-22T05:27:59.448Z [ 3628:15864] A Executing step: Live Query Telemetry installer
2022-02-22T05:27:59.450Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32)
2022-02-22T05:27:59.452Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32, Cmd, SophosLiveQueryTelemetry.exe)
2022-02-22T05:27:59.454Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32, Path, C:\Program Files\Sophos\Live Query\SophosLiveQueryTelemetry.exe)
2022-02-22T05:27:59.456Z [ 3628:15864] A Executing step: CreateRegistryKey(HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging, 64)
2022-02-22T05:27:59.458Z [ 3628:15864] A Executing step: SetRegistryValue(HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging, 64, EnableScriptBlockLogging, 1)
2022-02-22T05:27:59.459Z [ 3628:15864] A Executing step: Start tamper-protected service step: Sophos Live Query
2022-02-22T05:27:59.463Z [ 3628:15864] I Querying configuration of service: Sophos Live Query
2022-02-22T05:27:59.709Z [ 3628:15864] I Waiting 60000ms for service to start.
2022-02-22T05:27:59.709Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:00.726Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:28:00.726Z [ 3628:15864] I The service is running.
2022-02-22T05:28:00.726Z [ 3628:15864] A Executing step: Start tamper-protected service step: Sophos Managed Threat Response
2022-02-22T05:28:00.729Z [ 3628:15864] I Querying configuration of service: Sophos Managed Threat Response
2022-02-22T05:28:30.793Z [ 3628:15864] E Exception starting tamper protected service: StartService failed with error 1053: Der Dienst antwortete nicht rechtzeitig auf die Start- oder Steuerungsanforderung.
2022-02-22T05:28:30.797Z [ 3628:15864] W Cannot determine service PID; service is in invalid state: 1
2022-02-22T05:28:30.800Z [ 3628:15864] I StopCommand key was set
2022-02-22T05:28:30.800Z [ 3628:15864] I Waiting 60000ms for service stop
2022-02-22T05:28:30.801Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:30.801Z [ 3628:15864] I Service has stopped.
2022-02-22T05:28:30.801Z [ 3628:15864] I StopCommand key was removed
2022-02-22T05:28:30.801Z [ 3628:15864] W StartService failed with error 1053: Der Dienst antwortete nicht rechtzeitig auf die Start- oder Steuerungsanforderung.
2022-02-22T05:28:30.804Z [ 3628:15864] E Failed step: Start tamper-protected service step: Sophos Managed Threat Response, rolling back previous steps
2022-02-22T05:28:30.807Z [ 3628:15864] A Rolling back step: Start tamper-protected service step: Sophos Live Query
2022-02-22T05:28:30.811Z [ 3628:15864] I PID of service: 15304
2022-02-22T05:28:30.811Z [ 3628:15864] I PID of service: 15304
2022-02-22T05:28:30.811Z [ 3628:15864] I Service process handle acquired
2022-02-22T05:28:30.811Z [ 3628:15864] I StopCommand key was set
2022-02-22T05:28:30.812Z [ 3628:15864] I Waiting 60000ms for service stop
2022-02-22T05:28:30.812Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:31.816Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:28:31.816Z [ 3628:15864] I Service has stopped.
2022-02-22T05:28:31.817Z [ 3628:15864] I StopCommand key was removed
2022-02-22T05:28:31.818Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging, 64, EnableScriptBlockLogging, 1)
2022-02-22T05:28:31.821Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging, 64)
2022-02-22T05:28:31.824Z [ 3628:15864] A Rolling back step: Live Query Telemetry installer
2022-02-22T05:28:31.827Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32, Path, C:\Program Files\Sophos\Live Query\SophosLiveQueryTelemetry.exe)
2022-02-22T05:28:31.831Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32, Cmd, SophosLiveQueryTelemetry.exe)
2022-02-22T05:28:31.834Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\LiveQuery, 32)
2022-02-22T05:28:31.838Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryTelemetry.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryTelemetry.exe)
2022-02-22T05:28:31.844Z [ 3628:15864] A Rolling back step: LiveQuery adapter installer
2022-02-22T05:28:31.848Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32, DllPath, C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll)
2022-02-22T05:28:31.852Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32)
2022-02-22T05:28:31.856Z [ 3628:15864] A Rolling back step: WaitForLockedFile(C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll, 60, WaitOnRollbackToUnlock)
2022-02-22T05:28:31.859Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:31.972Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:28:31.973Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\LiveQueryAdapter.dll, C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll)
2022-02-22T05:28:31.976Z [ 3628:15864] A Rolling back step: WaitForLockedFile(C:\Program Files\Sophos\Live Query\LiveQueryAdapter.dll, 60, WaitOnInstallToUnlock)
2022-02-22T05:28:31.978Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\LiveQuery, 32)
2022-02-22T05:28:31.982Z [ 3628:15864] A Rolling back step: Live Query add remove program key installer
2022-02-22T05:28:31.985Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, UninstallString, "C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe")
2022-02-22T05:28:31.987Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, SystemComponent, 1)
2022-02-22T05:28:31.989Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, Publisher, Sophos Limited)
2022-02-22T05:28:31.991Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, DisplayVersion, 3.4.0.317)
2022-02-22T05:28:31.993Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64, DisplayName, Sophos Live Query)
2022-02-22T05:28:31.994Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Live Query, 64)
2022-02-22T05:28:31.996Z [ 3628:15864] A Rolling back step: Live Query add extension registry configuration
2022-02-22T05:28:31.998Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, enableWatchdog, 1)
2022-02-22T05:28:32.000Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, extraArgs, )
2022-02-22T05:28:32.002Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64, path, C:\Program Files\Sophos\Live Query\SophosMTRExtension.exe)
2022-02-22T05:28:32.004Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\sophosmdrextension, 64)
2022-02-22T05:28:32.006Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions, 64)
2022-02-22T05:28:32.007Z [ 3628:15864] A Rolling back step: Live Query add extension registry configuration
2022-02-22T05:28:32.009Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, enableWatchdog, 1)
2022-02-22T05:28:32.011Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, extraArgs, --live_query)
2022-02-22T05:28:32.013Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64, path, C:\Program Files\Sophos\Live Query\SophosOsqueryExtension.exe)
2022-02-22T05:28:32.015Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions\SophosExtension, 64)
2022-02-22T05:28:32.017Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\load_extensions, 64)
2022-02-22T05:28:32.019Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query\status, 64)
2022-02-22T05:28:32.020Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Live Query, 64)
2022-02-22T05:28:32.022Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryUninstall.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe)
2022-02-22T05:28:32.025Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\NOTICE.txt, C:\Program Files\Sophos\Live Query\NOTICE.txt)
2022-02-22T05:28:32.029Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosLiveQueryService.exe, C:\Program Files\Sophos\Live Query\SophosLiveQueryService.exe)
2022-02-22T05:28:32.032Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosMTRExtension.exe, C:\Program Files\Sophos\Live Query\SophosMTRExtension.exe)
2022-02-22T05:28:32.037Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosOsqueryExtension.exe, C:\Program Files\Sophos\Live Query\SophosOsqueryExtension.exe)
2022-02-22T05:28:32.041Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\SophosOsquery.exe, C:\Program Files\Sophos\Live Query\SophosOsquery.exe)
2022-02-22T05:28:32.048Z [ 3628:15864] A Rolling back step: Live Query Log key installer
2022-02-22T05:28:32.050Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosOsqueryExtension.exe, 64)
2022-02-22T05:28:32.052Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosOsquery.exe, 64)
2022-02-22T05:28:32.054Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Logging\LiveQuery\SophosLiveQueryService.exe, 64)
2022-02-22T05:28:32.055Z [ 3628:15864] A Rolling back step: LiveQuery Scheduled Query Pack (NEXT) Installer
2022-02-22T05:28:32.057Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\version.txt, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\version.txt)
2022-02-22T05:28:32.060Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.mtr-e.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.mtr-e.conf)
2022-02-22T05:28:32.063Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.mtr.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.mtr.conf)
2022-02-22T05:28:32.067Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_next\sophos-scheduled-query-pack.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Next\sophos-scheduled-query-pack.conf)
2022-02-22T05:28:32.070Z [ 3628:15864] A Rolling back step: LiveQuery Scheduled Query Pack (LATEST) Installer
2022-02-22T05:28:32.072Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\version.txt, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\version.txt)
2022-02-22T05:28:32.075Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.mtr-e.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.mtr-e.conf)
2022-02-22T05:28:32.078Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.mtr.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.mtr.conf)
2022-02-22T05:28:32.081Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\scheduled_query_pack_latest\sophos-scheduled-query-pack.conf, C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf)
2022-02-22T05:28:32.085Z [ 3628:15864] A Rolling back step: LiveQuery ProgramData directory installer
2022-02-22T05:28:32.087Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\tls_server_certs.pem, C:\ProgramData\Sophos\Certificates\Live Query\tls_server_certs.pem)
2022-02-22T05:28:32.091Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\extensions.load, C:\ProgramData\Sophos\Live Query\Config\extensions.load)
2022-02-22T05:28:32.094Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\sophos.osquery.conf, C:\ProgramData\Sophos\Live Query\Config\sophos.osquery.conf)
2022-02-22T05:28:32.097Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\livequery.flags, C:\ProgramData\Sophos\Live Query\Config\livequery.flags)
2022-02-22T05:28:32.100Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Certificates\Live Query and all parent directories
2022-02-22T05:28:32.103Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Metrics and all parent directories
2022-02-22T05:28:32.106Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Config\sophos.osquery.conf.d and all parent directories
2022-02-22T05:28:32.110Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Config and all parent directories
2022-02-22T05:28:32.114Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Data and all parent directories
2022-02-22T05:28:32.117Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Logs and all parent directories
2022-02-22T05:28:32.120Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Temp and all parent directories
2022-02-22T05:28:32.123Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Packs\Next and all parent directories
2022-02-22T05:28:32.127Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest and all parent directories
2022-02-22T05:28:32.130Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Results and all parent directories
2022-02-22T05:28:32.133Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries\Incoming and all parent directories
2022-02-22T05:28:32.136Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Queries and all parent directories
2022-02-22T05:28:32.140Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query\Processes and all parent directories
2022-02-22T05:28:32.143Z [ 3628:15864] A Rolling back step: Create directory C:\ProgramData\Sophos\Live Query and all parent directories
2022-02-22T05:28:32.146Z [ 3628:15864] A Rolling back step: Tamper protection will be updated for the main component.
2022-02-22T05:28:32.148Z [ 3628:15864] A Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\livequery64\integrity.dat, C:\Program Files\Sophos\Live Query\integrity.dat)
2022-02-22T05:28:32.151Z [ 3628:15864] A Rolling back step: Create directory C:\Program Files\Sophos\Live Query and all parent directories
2022-02-22T05:28:32.153Z [ 3628:15864] A Rolling back step: LiveQuery Trickbot Mitigation Keys Installer
2022-02-22T05:28:32.155Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosLiveQueryTelemetry.exe
2022-02-22T05:28:32.157Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryTelemetry.exe, 64)
2022-02-22T05:28:32.159Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryTelemetry.exe, 64)
2022-02-22T05:28:32.163Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryTelemetry.exe, 0)
2022-02-22T05:28:32.165Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryTelemetry.exe, 0)
2022-02-22T05:28:32.169Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosLiveQueryUninstall.exe
2022-02-22T05:28:32.172Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryUninstall.exe, 64)
2022-02-22T05:28:32.174Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryUninstall.exe, 64)
2022-02-22T05:28:32.179Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryUninstall.exe, 0)
2022-02-22T05:28:32.181Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryUninstall.exe, 0)
2022-02-22T05:28:32.185Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosMTRExtension.exe
2022-02-22T05:28:32.187Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosMTRExtension.exe, 64)
2022-02-22T05:28:32.190Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosMTRExtension.exe, 64)
2022-02-22T05:28:32.194Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosMTRExtension.exe, 0)
2022-02-22T05:28:32.197Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosMTRExtension.exe, 0)
2022-02-22T05:28:32.200Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosOsqueryExtension.exe
2022-02-22T05:28:32.203Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsqueryExtension.exe, 64)
2022-02-22T05:28:32.205Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsqueryExtension.exe, 64)
2022-02-22T05:28:32.209Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsqueryExtension.exe, 0)
2022-02-22T05:28:32.212Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsqueryExtension.exe, 0)
2022-02-22T05:28:32.216Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosOsquery.exe
2022-02-22T05:28:32.218Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsquery.exe, 64)
2022-02-22T05:28:32.220Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosOsquery.exe, 64)
2022-02-22T05:28:32.224Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsquery.exe, 0)
2022-02-22T05:28:32.226Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosOsquery.exe, 0)
2022-02-22T05:28:32.230Z [ 3628:15864] A Rolling back step: Trickbot protection key install steps for SophosLiveQueryService.exe
2022-02-22T05:28:32.232Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryService.exe, 64)
2022-02-22T05:28:32.234Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\SophosLiveQueryService.exe, 64)
2022-02-22T05:28:32.238Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryService.exe, 0)
2022-02-22T05:28:32.240Z [ 3628:15864] A Rolling back step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SophosLiveQueryService.exe, 0)
2022-02-22T05:28:32.244Z [ 3628:15864] A Rolling back step: Tamper protection will be updated for the main component, if rollback is triggered.
2022-02-22T05:28:32.249Z [ 3628:15864] A Tamper protection was not enabled for the main component. Will remain off after rollback.
2022-02-22T05:28:32.252Z [ 3628:15864] A Rolling back step: Install service step: Sophos Live Query
2022-02-22T05:28:32.255Z [ 3628:15864] I Waiting 60000ms for service deletion
2022-02-22T05:28:32.255Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:32.255Z [ 3628:15864] W Service still exists, waiting...
2022-02-22T05:28:33.261Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:28:33.262Z [ 3628:15864] A Successfully deleted service: Sophos Live Query
2022-02-22T05:28:33.277Z [ 3628:15864] A Rolling back step: Delete service step: Sophos Live Query
2022-02-22T05:28:33.302Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\LiveQuery, 64, Enable, 0)
2022-02-22T05:28:33.308Z [ 3628:15864] A Rolling back step: Killing any left over SophosOsquery and SophosOsqueryExtension processes from the livequery programfiles folder
2022-02-22T05:28:33.310Z [ 3628:15864] A Rolling back step: Stop service step without disabling tamper protection for service: Sophos Live Query
2022-02-22T05:28:33.313Z [ 3628:15864] I Querying configuration of service: Sophos Live Query
2022-02-22T05:28:33.352Z [ 3628:15864] I Waiting 60000ms for service to start.
2022-02-22T05:28:33.352Z [ 3628:15864] I Waiting for operation to succeed within 60000ms.
2022-02-22T05:28:34.368Z [ 3628:15864] I Retrying operation. Counter: 1
2022-02-22T05:28:34.368Z [ 3628:15864] I The service is running.
2022-02-22T05:28:34.369Z [ 3628:15864] A Rolling back step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\LiveQuery, 64)
2022-02-22T05:28:34.371Z [ 3628:15864] A Rolling back step: Stop service step without disabling tamper protection for service: Sophos Managed Threat Response
2022-02-22T05:28:34.374Z [ 3628:15864] I Service was already missing or stopped
2022-02-22T05:28:34.374Z [ 3628:15864] A Rolling back step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\MTR_SCM, 64, Enable, 0)
2022-02-22T05:28:34.378Z [ 3628:15864] W Failed composite step
2022-02-22T05:28:34.381Z [ 3628:15864] A Execution failed
2022-02-22T05:28:34.383Z [ 3628:15864] E Action failed
2022-02-22T05:28:34.388Z [ 3628:15864] A End product setup
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Patrick_S

2022-02-22T05:28:00.726Z [ 3628:15864] A Executing step: Start tamper-protected service step: Sophos Managed Threat Response
2022-02-22T05:28:00.729Z [ 3628:15864] I Querying configuration of service: Sophos Managed Threat Response
2022-02-22T05:28:30.793Z [ 3628:15864] E Exception starting tamper protected service: StartService failed with error 1053: Der Dienst antwortete nicht rechtzeitig auf die Start- oder Steuerungsanforderung.
2022-02-22T05:28:30.797Z [ 3628:15864] W Cannot determine service PID; service is in invalid state: 1

Is the issue, the installer is trying to start the "Sophos Managed Threat Response" service. This is failing with error 1053, which is ERROR_SERVICE_REQUEST_TIMEOUT. The text being: "The service did not respond to the start or control request in a timely fashion."

I would initially check:
C:\ProgramData\Sophos\Managed Threat Response\Logs\dbos.log
for errors but I'd probably also run Process Monitor, call Update Now, to let AutoUpdate have another attempt at re-installing the component.

I assume the services.exe process (the SCM) may create the process: "C:\Program Files\Sophos\Managed Threat Response\SophosMTR.exe"? Do you see the "SophosMTR.exe" process get created? If so, what does it do, does it get very far? Can you see any errors if you step through the Process Monitor log? You could use the timestamp of the log to locate the area of interest in the Process Monitor log if the process doesn't even get started.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Patrick_S over 2 years ago in reply to Sophos User930

Thank you for your reply. I have no clue what happened but the clients managed to install the update even through Cisco Anyconnect today. We have had this problem a few times in the past and after a few days it has reoccured. If it occurs again I will contact you again.

Thanks!
Cancel
Vote Up +1 Vote Down

Cancel