This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ML Engine (64-bit) failed to install

Hello, 

I am new to Sophos and System Administration in general. 

Over the weekend, I got several notifications that some of my servers had failed to update Sophos.

Below are some error snippets I've identified from the installation log: %ProgramData%\Sophos\CloudInstaller\Logs\SophosCloudInstaller_<date>_<time>.log

Installing component: Sophos ML engine (64-bit)
IsWow64Process2 not available on older platforms.
...
W failed to install product 70FDD40E-986A-44E5-9620-2B894A06702A 1.8.7.1
su-setup: exit 1

SetupPluginCommand::onRun() failed with ComponentInstaller::InstallError:Failed to install component(s)
SetupPlugin completed with failure with reboot code '0' and error message 'could not install software'
Installation failed

I am pretty sure that the failure has to do with the Sophos ML Engine due to the above errors. 

I have already tried installing the new root certificates, and made sure that there weren't any misconfigurations in both registry and local/group policy as recommended in the article: https://support.sophos.com/support/s/article/KB-000043788?language=en_US&c__displayLanguage=en_US

I have also tried doing an uninstall + fresh install using Sophos Zapp, but to no avail. 

I noticed that for this particular server, the docmodel directory from C:\Program Files\Sophos\Sophos ML Engine\ML1\ is empty. I am sure that this once contained several .dll and .dat files. 

Anyone have any ideas on what to try next? 



This thread was automatically locked due to age.
Parents
  • In \windows\temp\ if AutoUpdate has tried to install it, you should have a pair of logs. E.g.

    • Sophos ML Engine Install Log 20220306 173104
    • Sophos ML Engine Validator Log 20220306 173104

    Can you paste those?

  • Hi SophosUser930, 

    As per your request

    Sophos ML Engine Install Log 20220308 074314.txt : 

    Version: 1.8.7.1
    2022-03-08T07:43:14 CPluginComponent::Install: Installation starting
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Installing files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking for changes
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at source files in "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at current files in "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16388810729236551"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "docmodel.dll" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "manifest.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "onnxruntime.dll" for copy as it is a DLL
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking "static_office.dat" for linking as it has not changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_pdf.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_rtf.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Change detected - copying files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Linking "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_office.dat"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Copying files succeeded
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Successfully installed files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully copied "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validating
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Running validator "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\SophosSMEValidator.exe" "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator started
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator returned 3
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validation Failed
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Removing "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Removing files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Successfully removed files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 CPluginComponent::Install: Installation failed

    Sophos ML Engine Validator Log 20220308 074314.txt ; 

    Version: 1.8.7.1
    2022-03-08T07:43:14 wWinMain: Command line: "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
    2022-03-08T07:43:14 `anonymous-namespace'::Startup: Successfully set search path using standard approach.
    2022-03-08T07:43:14 Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos
    2022-03-08T07:43:14 wWinMain: Validation failed

    Thanks for your help

  • this is the most significant line:

    Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos.

    This is Sophos just calling the Microsoft API WinverifyTrust against the file in question and it is failing.  Evidence for this is in the CAPI2 Event log.

    If you visit:
    https://trusted-root-g4.chain-demos.digicert.com/

    on that computer, what happens?

    Do you see in the Certificates MMC (Computer account) the DigiCert Trusted Root G4 cert?

    If it's there are visiting https://trusted-root-g4.chain-demos.digicert.com/, does the next "Update now" complete?

    Also worth checking in the registry under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
    and
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

    ...don't have a DWORD registry value named DisableRootAutoUpdate set to 1.

Reply
  • this is the most significant line:

    Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos.

    This is Sophos just calling the Microsoft API WinverifyTrust against the file in question and it is failing.  Evidence for this is in the CAPI2 Event log.

    If you visit:
    https://trusted-root-g4.chain-demos.digicert.com/

    on that computer, what happens?

    Do you see in the Certificates MMC (Computer account) the DigiCert Trusted Root G4 cert?

    If it's there are visiting https://trusted-root-g4.chain-demos.digicert.com/, does the next "Update now" complete?

    Also worth checking in the registry under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
    and
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

    ...don't have a DWORD registry value named DisableRootAutoUpdate set to 1.

Children