This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Update failing on multiple machines

Hi All.

I am having an issue with multiple machines failing Sophos update over the weekend.

This includes relatively new machines. I am receiving the following error:

Failed to install sau: general error.

I have tried uninstalling but receiving the same error.

Any ideas?

Thanks,



This thread was automatically locked due to age.
Parents
  • could you attach the Sophos AutoUpdate logs from \windows\temp\.  If AutoUpdate is trying to update Sophso AutoUpdate, there will be logs under \windows\temp\ for Sophos AutoUpdate.

  • The below is what I see

    2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-02-28T09:47:36.827Z [ 9272:15928] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-02-28T09:47:36.829Z [ 9272:15928] I Product is installed. Product code '{608FB9D9-77C2-4CA6-AB53-4F50900BD9E0}'. Version: '6.12.86'
    2022-02-28T09:47:36.829Z [ 9272:15928] I Checking SAU Service ImagePath
    2022-02-28T09:47:36.830Z [ 9272:15928] I Pre-existing version: 6.12.86; Installing version: 6.12.86.
    2022-02-28T09:47:36.830Z [ 9272:15928] I Installation type: Reinstall.
    2022-02-28T09:47:36.832Z [ 9272:15928] I Successfully requested Sophos Endpoint Defense disable tamper protection of SAU.
    2022-02-28T09:47:40.142Z [ 9272:15928] I Installation of Sophos AutoUpdate version: 6.12.86 completed successfully.
    2022-02-28T09:47:40.145Z [ 9272:15928] I Successfully registered for tamper protection with Sophos Endpoint Defense.
    2022-02-28T09:47:40.145Z [ 9272:15928] I REBOOTCODE: 0
    2022-02-28T09:47:40.145Z [ 9272:15928] I Update data dir: C:\ProgramData\Sophos\AutoUpdate
    2022-02-28T09:47:40.188Z [ 9272:15928] I Update data dir: C:\ProgramData\Sophos\AutoUpdate
    2022-02-28T09:47:40.193Z [ 9272:15928] I Telemetry Interval is 86400 seconds
    2022-02-28T09:47:40.193Z [ 9272:15928] I C:\ProgramData\Sophos\AutoUpdate\Config\TelemetryConfig.json loaded
    2022-02-28T09:47:40.193Z [ 9272:15928] I Telemetry Interval updated to 86400 seconds
    2022-02-28T09:47:40.193Z [ 9272:15928] I LastTelemetryTime is set to: 1646040186l.

  • That looks successful. Are there any other logs that follow the file naming scheme as that is the correct log.

  • I have looked at another machine and see the below:

    2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-03-18T16:26:54.128Z [ 2044: 6332] I Leaving MsiInstall::GetPackageProperty() with ERROR_SUCCESS.
    2022-03-18T16:26:54.130Z [ 2044: 6332] I Product is installed. Product code '{785D9C84-13AF-4B42-9550-E7260F674A32}'. Version: '6.11.299'
    2022-03-18T16:26:54.130Z [ 2044: 6332] I Checking SAU Service ImagePath
    2022-03-18T16:26:54.131Z [ 2044: 6332] I Installation type: Major version change or sidegrade.
    2022-03-18T16:26:54.131Z [ 2044: 6332] I Major upgrade
    2022-03-18T16:26:54.134Z [ 2044: 6332] I Successfully requested Sophos Endpoint Defense disable tamper protection of SAU.
    2022-03-18T16:26:54.134Z [ 2044: 6332] I Uninstall current product.
    2022-03-18T16:26:54.148Z [ 2044: 6332] I Successfully registered for tamper protection with Sophos Endpoint Defense.
    2022-03-18T16:26:54.148Z [ 2044: 6332] I Telemetry Interval is 86400 seconds
    2022-03-18T16:26:54.148Z [ 2044: 6332] I C:\ProgramData\Sophos\AutoUpdate\Config\TelemetryConfig.json loaded
    2022-03-18T16:26:54.148Z [ 2044: 6332] I Telemetry Interval updated to 86400 seconds
    2022-03-18T16:26:54.148Z [ 2044: 6332] I LastTelemetryTime is set to: 1647594398l.
    2022-03-18T16:26:54.148Z [ 2044: 6332] E ERROR: Removal of Sophos AutoUpdate version: 6.11.299 failed with return code: 1612

  • 1612 is ERROR_INSTALL_SOURCE_ABSENT. So the cached MSI file for version 6.11.299 that should be under \windows\installer is missing.  There will be a reference to this version I suspect under the reg key:

    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties\"
    There will be a "LocalPackage" reg value for this version of AutoUpdate the "DisplayName" and "DisplayVersion" values should be there, which references a file such as: 

    C:\Windows\Installer\1273362c.msi

    You need to get a copy of the Sophos AutoUpdate MSI file (Sophos AutoUpdate.msi) and rename it to the same file name in the referenced location as in the LocalPackage.  Do you have another computer with AutoUpdate version 6.11.299?

    It would be possible to write a script to replace it using the above reg key, if you can get the right file.  

  • I think this is the file you need:

    http://d1.sophosupd.com/update/ebf00e741211519265ca81c7dd00bd73x000.dat

    If you rename that from .dat to .msi and copy it to \windows\installer\ with the same name as that referenced in the LocalPackage reg value it should uninstall fine.

  • I can use SophosZap to uninstall, the issue was more or less to sort the updating.

    Thanks,

    Hanif

Reply Children
No Data