Hi All.
I am having an issue with multiple machines failing Sophos update over the weekend.
This includes relatively new machines. I am receiving the following error:
Failed to install sau: general error.
I have tried uninstalling but receiving the same error.
Any ideas?
Thanks,
The below is what I see
2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-02-28T09:47:36.829Z [ 9272:15928] I Product is installed. Product code '{608FB9D9-77C2-4CA6-AB53-4F50900BD9E0}'. Version: '6.12.86'
2022-02-28T09:47:36.829Z [ 9272:15928] I Checking SAU Service ImagePath
2022-02-28T09:47:36.830Z [ 9272:15928] I Pre-existing version: 6.12.86; Installing version: 6.12.86.
2022-02-28T09:47:36.830Z [ 9272:15928] I Installation type: Reinstall.
2022-02-28T09:47:36.832Z [ 9272:15928] I Successfully requested Sophos Endpoint Defense disable tamper protection of SAU.
2022-02-28T09:47:40.142Z [ 9272:15928] I Installation of Sophos AutoUpdate version: 6.12.86 completed successfully.
2022-02-28T09:47:40.145Z [ 9272:15928] I Successfully registered for tamper protection with Sophos Endpoint Defense.
2022-02-28T09:47:40.145Z [ 9272:15928] I REBOOTCODE: 0
2022-02-28T09:47:40.145Z [ 9272:15928] I Update data dir: C:\ProgramData\Sophos\AutoUpdate
2022-02-28T09:47:40.188Z [ 9272:15928] I Update data dir: C:\ProgramData\Sophos\AutoUpdate
2022-02-28T09:47:40.193Z [ 9272:15928] I Telemetry Interval is 86400 seconds
2022-02-28T09:47:40.193Z [ 9272:15928] I C:\ProgramData\Sophos\AutoUpdate\Config\TelemetryConfig.json loaded
2022-02-28T09:47:40.193Z [ 9272:15928] I Telemetry Interval updated to 86400 seconds
2022-02-28T09:47:40.193Z [ 9272:15928] I LastTelemetryTime is set to: 1646040186l.
That looks successful. Are there any other logs that follow the file naming scheme as that is the correct log.
I have looked at another machine and see the below:
2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
2022-03-18T16:26:54.130Z [ 2044: 6332] I Product is installed. Product code '{785D9C84-13AF-4B42-9550-E7260F674A32}'. Version: '6.11.299'
2022-03-18T16:26:54.130Z [ 2044: 6332] I Checking SAU Service ImagePath
2022-03-18T16:26:54.131Z [ 2044: 6332] I Installation type: Major version change or sidegrade.
2022-03-18T16:26:54.131Z [ 2044: 6332] I Major upgrade
2022-03-18T16:26:54.134Z [ 2044: 6332] I Successfully requested Sophos Endpoint Defense disable tamper protection of SAU.
2022-03-18T16:26:54.134Z [ 2044: 6332] I Uninstall current product.
2022-03-18T16:26:54.148Z [ 2044: 6332] I Successfully registered for tamper protection with Sophos Endpoint Defense.
2022-03-18T16:26:54.148Z [ 2044: 6332] I Telemetry Interval is 86400 seconds
2022-03-18T16:26:54.148Z [ 2044: 6332] I C:\ProgramData\Sophos\AutoUpdate\Config\TelemetryConfig.json loaded
2022-03-18T16:26:54.148Z [ 2044: 6332] I Telemetry Interval updated to 86400 seconds
2022-03-18T16:26:54.148Z [ 2044: 6332] I LastTelemetryTime is set to: 1647594398l.
2022-03-18T16:26:54.148Z [ 2044: 6332] E ERROR: Removal of Sophos AutoUpdate version: 6.11.299 failed with return code: 1612
1612 is ERROR_INSTALL_SOURCE_ABSENT. So the cached MSI file for version 6.11.299 that should be under \windows\installer is missing. There will be a reference to this version I suspect under the reg key:
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties\"
There will be a "LocalPackage" reg value for this version of AutoUpdate the "DisplayName" and "DisplayVersion" values should be there, which references a file such as:
C:\Windows\Installer\1273362c.msi
You need to get a copy of the Sophos AutoUpdate MSI file (Sophos AutoUpdate.msi) and rename it to the same file name in the referenced location as in the LocalPackage. Do you have another computer with AutoUpdate version 6.11.299?
It would be possible to write a script to replace it using the above reg key, if you can get the right file.
I think this is the file you need:
http://d1.sophosupd.com/update/ebf00e741211519265ca81c7dd00bd73x000.dat
If you rename that from .dat to .msi and copy it to \windows\installer\ with the same name as that referenced in the LocalPackage reg value it should uninstall fine.
I think this is the file you need:
http://d1.sophosupd.com/update/ebf00e741211519265ca81c7dd00bd73x000.dat
If you rename that from .dat to .msi and copy it to \windows\installer\ with the same name as that referenced in the LocalPackage reg value it should uninstall fine.
I can use SophosZap to uninstall, the issue was more or less to sort the updating.
Thanks,
Hanif
Does the following PowerShell script help. While I was at it, I added some of the other md5 files I had.
#Restore missing MSI files if they can be downloaded from the public warehouse.
param ($data)
[xml]$MSIData = @'
<?xml version="1.0" encoding="UTF-8"?>
<Products>
<Component name="Sophos Anti-Virus">
<entry targetarchitecture="64" version="10.8.4.227" md5="14238f07fd0b6388de68b35d3d16ae99" />
<entry targetarchitecture="64" version="10.8.9.610" md5="e36141de48f291226c490f50d51f63d6" />
<entry targetarchitecture="64" version="10.8.10.810" md5="62cc29ef6da10ba0ade59179a5d136f5" />
<entry targetarchitecture="64" version="10.8.11.22" md5="950a4fd060054816d20675f99d0ddcc4" />
<entry targetarchitecture="64" version="10.8.12.23" md5="efae4d99705d37f55555ec5f3836f0bd" />
</Component>
<Component name="Sophos AutoUpdate XG">
<entry targetarchitecture="64" version="6.7.352.0" md5="58934fea8bb7e472fbc97f0d36db3dc6" />
<entry targetarchitecture="64" version="6.12.59" md5="8a75cf4460ab26eea98835e787852a78" />
<entry targetarchitecture="64" version="6.11.299" md5="ebf00e741211519265ca81c7dd00bd73" />
</Component>
<Component name="Sophos AutoUpdate">
<entry targetarchitecture="64" version="5.17.243.0" md5="e399c2d6e8506129145f99f987e202bd" />
</Component>
<Component name="Sophos Remote Management System">
<entry targetarchitecture="64" version="4.1.2" md5="b1bcc8323460b6daf1c2763428617a77" />
<entry targetarchitecture="64" version="4.1.3" md5="4046ccdd845f9c92468a2ed8631df6ec" />
</Component>
<Component name="Sophos Network Threat Protection">
<entry targetarchitecture="64" version="1.9.2235.0" md5="2a07605292814a54b587367f99bdf7fa" />
<entry targetarchitecture="32" version="1.9.2235.0" md5="b767b7a86b43a84de7383e2d815dd946" />
<entry targetarchitecture="64" version="1.11.194.0" md5="1b6a5b09d0175d5e9cddef10f1e68fcb" />
</Component>
<Component name="Sophos Endpoint Self Help">
<entry targetarchitecture="64" version="3.0.217.0" md5="4764f2e2be98bfd44f4813a377f8fa8d" />
<entry targetarchitecture="64" version="3.1.88.0" md5="89c49facd1e551689841c78bbb817e6c" />
</Component>
<Component name="Sophos Endpoint Firewall">
<entry targetarchitecture="64" version="1.2.0.17" md5="e1066ad8910661f9ccbea4d4ab618d22" />
<entry targetarchitecture="64" version="2.0.20.0" md5="4f51e2d94359f773628b611e8df0bdf9" />
</Component>
<Component name="Sophos Endpoint Agent">
<entry targetarchitecture="64" version="2.2.6.0" md5="5df724aa24f18f27d63b9639a4d993d9" />
<entry targetarchitecture="64" version="2.1.44.0" md5="96090fa1707c51bed965b080c02c56e8" />
<entry targetarchitecture="64" version="2.4.230.0" md5="431d65546d5976a1a77302255dcd26c6" />
</Component>
<Component name="Sophos Diagnostic Utility">
<entry targetarchitecture="64" version="6.8.296.0" md5="4d8f989e7304b7887061abd2efa3c8fe" />
<entry targetarchitecture="64" version="6.7.306.0" md5="f8eb5a54a6a4a0c6e5d18e22d7a9bada" />
<entry targetarchitecture="64" version="6.11.234" md5="333fc3ec5c2426600af596e4a4a5a7d7" />
</Component>
<Component name="Sophos Data Protection Agent 2.0.81.0">
<entry targetarchitecture="64" version="2.0.81.0" md5="2e570925193d723d5e16b14e33cd09af" />
</Component>
<Component name="Sophos Data Protection Agent 2.1.182.0">
<entry targetarchitecture="64" version="2.1.182.0" md5="d26bd320ba23d1ed9d7b0acce95b3a9c" />
</Component>
<Component name="Sophos File Integrity Monitoring">
<entry targetarchitecture="64" version="1.0.1.11" md5="c17af65274e74c49462a3633d9863fda" />
</Component>
</Products>
'@
$installer_registry_keys = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties\"
$url_prefix = "http://d1.sophosupd.com/update/"
$url_suffix = "x000.dat"
function main()
{
$product_count = 0
$fix_count = 0
$failed_fix_count = 0
if ([System.IntPtr]::Size -eq 4)
{
$os_platform = "32"
}
else
{
$os_platform = "64"
}
foreach ($package in (Get-ItemProperty -path $installer_registry_keys))
{
if ($package.publisher -match "sophos")
{
$product_count++
Write-Host `n"Checking:" $package.DisplayName
if (test-path $package.LocalPackage)
{
$exist = $true;
$c = "green"
}
else
{
Write-Host "Attempt to resolve missing cached MSI file for: $($package.DisplayName), version: $($package.DisplayVersion)"
$hash = $(Select-XML -Xml $MSIData -XPath "//Products/Component[@name='$($package.DisplayName)']/entry[@version='$($package.DisplayVersion)' and @targetarchitecture='$($os_platform)']").Node.md5
if (-not $hash)
{
write-host "No cached MSI file in database, will continue." -ForegroundColor red
continue;
}
$uri = $url_prefix + $hash + $url_suffix
write-host "Attempt to download from '$uri' and save to '$($package.LocalPackage)'."
try
{
#$wr = Invoke-WebRequest -Uri $uri -OutFile $package.LocalPackage -ErrorAction SilentlyContinue #switch to wbclient for older OS.
$webClient = new-object System.Net.WebClient
$webClient.DownloadFile($uri, $package.LocalPackage)
if (test-path $package.LocalPackage)
{
Write-host "Copied from server and saved successfully"
$fix_count++
$exist = $true
$c = "green"
}
else
{
Write-host "Failed to restore file."
$exist=$false
$c = "red"
$failed_fix_count++
}
}
catch
{
Write-host "Failed to restore file."
$exist=$false
$c = "red"
$failed_fix_count++
}
}
write-host $package.DisplayName `n $package.DisplayVersion `n $package.LocalPackage [$exist] -ForegroundColor $c
}
}
write-host "`nResults:"
Write-Host "Sophos products found:" $product_count
if ($failed_fix_count -gt 0)
{
Write-Host "Failed fix count:" $failed_fix_count -ForegroundColor Red
exit 1
}
if ($fix_count -gt 0)
{
Write-Host "Fix count:" $fix_count -ForegroundColor Green
Write-Host "Will initiate an update as $fix_count cached msi files have been restored..."
try{
$(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1)
}catch{}
}
exit 0
}
if ($data)
{
$package_data = $(Select-XML -Xml $MSIData -XPath "//Products/Component").Node
foreach ($package in $package_data)
{
write-host $package.name -foregroundcolor green
foreach ($details in $package.entry)
{
$uri = $url_prefix + $details.md5 + $url_suffix
write-host "Version:" $details.version "| Target Arch:" $details.targetarchitecture "| File:" $uri
}
}
exit 0
}
main
Out of interest, you can run the above via Live Response if needed:
Start the session, and run Powershell.exe
In the PowerShell session you can just paste the above, e.g.:
Here it shows all the cached MSIs are present. If there was an issue, e.g. I rename: C:\WINDOWS\Installer\861f7d7.msi to C:\WINDOWS\Installer\861f7d7.msi.removed for example and re-run the script. It will fix it:
Something that might help if you get other 1612 errors and Live Response is an option.