This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ML Engine (64-bit) failed to install

Hello,

I am new to Sophos and System Administration in general.

Over the weekend, I got several notifications that some of my servers had failed to update Sophos.

Below are some error snippets I've identified from the installation log: %ProgramData%\Sophos\CloudInstaller\Logs\SophosCloudInstaller_<date>_<time>.log

Installing component: Sophos ML engine (64-bit)
IsWow64Process2 not available on older platforms.
...
W failed to install product 70FDD40E-986A-44E5-9620-2B894A06702A 1.8.7.1
su-setup: exit 1

SetupPluginCommand::onRun() failed with ComponentInstaller::InstallError:Failed to install component(s)
SetupPlugin completed with failure with reboot code '0' and error message 'could not install software'
Installation failed

I am pretty sure that the failure has to do with the Sophos ML Engine due to the above errors.

I have already tried installing the new root certificates, and made sure that there weren't any misconfigurations in both registry and local/group policy as recommended in the article: https://support.sophos.com/support/s/article/KB-000043788?language=en_US&c__displayLanguage=en_US

I have also tried doing an uninstall + fresh install using Sophos Zapp, but to no avail.

I noticed that for this particular server, the docmodel directory from C:\Program Files\Sophos\Sophos ML Engine\ML1\ is empty. I am sure that this once contained several .dll and .dat files.

Anyone have any ideas on what to try next?

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 2 years ago in reply to Kader-Mtl +5 verified

this is the most significant line: Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos. This is Sophos just calling the Microsoft…

Parents

0 Sophos User930 over 2 years ago
In \windows\temp\ if AutoUpdate has tried to install it, you should have a pair of logs. E.g.

Sophos ML Engine Install Log 20220306 173104

Sophos ML Engine Validator Log 20220306 173104

Can you paste those?
Cancel
Vote Up 0 Vote Down

Cancel
0 Kader-Mtl over 2 years ago in reply to Sophos User930

Hi SophosUser930,

As per your request

Sophos ML Engine Install Log 20220308 074314.txt :

Version: 1.8.7.1
2022-03-08T07:43:14 CPluginComponent::Install: Installation starting
2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Installing files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking for changes
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at source files in "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel"
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at current files in "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16388810729236551"
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "docmodel.dll" for copy as it has changed
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "manifest.dat" for copy as it has changed
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "onnxruntime.dll" for copy as it is a DLL
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking "static_office.dat" for linking as it has not changed
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_pdf.dat" for copy as it has changed
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_rtf.dat" for copy as it has changed
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Change detected - copying files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Linking "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_office.dat"
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Copying files succeeded
2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Successfully installed files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" exists
2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully copied "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validating
2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Running validator "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\SophosSMEValidator.exe" "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator started
2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator returned 3
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validation Failed
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Removing "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Removing files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Successfully removed files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
2022-03-08T07:43:14 CPluginComponent::Install: Installation failed

Sophos ML Engine Validator Log 20220308 074314.txt ;

Version: 1.8.7.1
2022-03-08T07:43:14 wWinMain: Command line: "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
2022-03-08T07:43:14 `anonymous-namespace'::Startup: Successfully set search path using standard approach.
2022-03-08T07:43:14 Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos
2022-03-08T07:43:14 wWinMain: Validation failed

Thanks for your help
Cancel
Vote Up 0 Vote Down

Cancel
+1 Sophos User930 over 2 years ago in reply to Kader-Mtl

this is the most significant line:

Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos.

This is Sophos just calling the Microsoft API WinverifyTrust against the file in question and it is failing. Evidence for this is in the CAPI2 Event log.

If you visit:
https://trusted-root-g4.chain-demos.digicert.com/

on that computer, what happens?

Do you see in the Certificates MMC (Computer account) the DigiCert Trusted Root G4 cert?

If it's there are visiting https://trusted-root-g4.chain-demos.digicert.com/, does the next "Update now" complete?

Also worth checking in the registry under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

...don't have a DWORD registry value named DisableRootAutoUpdate set to 1.
Cancel
Vote Up +5 Vote Down

Cancel

Reply

+1 Sophos User930 over 2 years ago in reply to Kader-Mtl

this is the most significant line:

Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos.

This is Sophos just calling the Microsoft API WinverifyTrust against the file in question and it is failing. Evidence for this is in the CAPI2 Event log.

If you visit:
https://trusted-root-g4.chain-demos.digicert.com/

on that computer, what happens?

Do you see in the Certificates MMC (Computer account) the DigiCert Trusted Root G4 cert?

If it's there are visiting https://trusted-root-g4.chain-demos.digicert.com/, does the next "Update now" complete?

Also worth checking in the registry under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

...don't have a DWORD registry value named DisableRootAutoUpdate set to 1.
Cancel
Vote Up +5 Vote Down

Cancel

Children

+1 geopiet over 2 years ago in reply to Sophos User930

Hi Sophos User930, for me it works now. After opening the trusted-root-link above without an error I could complete the Update Now successfully. Thanks a lot!
Cancel
Vote Up +2 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to geopiet

No problem, curious you hadn't got it. Looking at:
Release notes - Microsoft Trusted Root Certificate Program

The July update here: July 2020 Deployment Notice - Microsoft Trusted Root Program has:

Digicert \ DigiCert Trusted Root G4 \ DDFB16CD4931C973A2037D3FC83A4D7D775D05E4

Where DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 is the thumbprint so it's not super new.

I can only think that visiting the site put it into the cert store.

Thanks for the reply.
Cancel
Vote Up +1 Vote Down

Cancel
0 Kader-Mtl over 2 years ago in reply to Sophos User930

Hi SophosUser930,

It's worked for me too !

Thanks !

Regards,
Cancel
Vote Up +1 Vote Down

Cancel
0 Mario_ap over 2 years ago in reply to Sophos User930

Worked for me. This probably saved me a lot fo time of going trough logs and debugging. Thanks!

Info: We only had this Problems on Machines running Windows 2012 R2 so far, 2016 and 2019 worked so far without any problems.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Mario_ap

Good to hear, I suppose, if you have LiveQuery:

This query would show clients missing the cert:

SELECT 'true' AS MissingDigicertG4Certificate

WHERE NOT EXISTS

(select 1 from certificates where

store_location = 'LocalMachine' and

store='Trusted Root Certification Authorities'

and common_name='DigiCert Trusted Root G4'

)

You can even use the Authenticode table to "validate" the file in the same way as the installer. The file should say "trusted" if all is OK as the result.

select

path as path,

serial_number,

issuer_name,

subject_name,

result

from authenticode

where path = "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sme64\docmodel\docmodel.dll"

To remediate, over Live Response, the following commands should also fix it:

mkdir C:\digicerttemp

cd C:\digicerttemp

certutil.exe -urlcache -f https://cacerts.digicert.com/DigiCertTrustedRootG4.crt C:\digicerttemp\DigiCertTrustedRootG4.crt

certutil.exe -addstore root C:\digicerttemp\DigiCertTrustedRootG4.crt

cd \

rmdir digicerttemp /S /Q

I've suggested using certutil to download the cert as Powershell 2 on older platforms so Invoke-webrequest is probably not available.

Hope that helps.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michel BIVER over 2 years ago in reply to Sophos User930

Hi, User390

Thanks for your comment here.

We also had trouble with some servers not updating and by checking the Cert concerned, I noticed this one was missing.

I exported it from the server which was ok and imported it simply in the others.

Works perfectly.

Best Regards
Cancel
Vote Up +1 Vote Down

Cancel