This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ML Engine (64-bit) failed to install

Hello, 

I am new to Sophos and System Administration in general. 

Over the weekend, I got several notifications that some of my servers had failed to update Sophos.

Below are some error snippets I've identified from the installation log: %ProgramData%\Sophos\CloudInstaller\Logs\SophosCloudInstaller_<date>_<time>.log

Installing component: Sophos ML engine (64-bit)
IsWow64Process2 not available on older platforms.
...
W failed to install product 70FDD40E-986A-44E5-9620-2B894A06702A 1.8.7.1
su-setup: exit 1

SetupPluginCommand::onRun() failed with ComponentInstaller::InstallError:Failed to install component(s)
SetupPlugin completed with failure with reboot code '0' and error message 'could not install software'
Installation failed

I am pretty sure that the failure has to do with the Sophos ML Engine due to the above errors. 

I have already tried installing the new root certificates, and made sure that there weren't any misconfigurations in both registry and local/group policy as recommended in the article: https://support.sophos.com/support/s/article/KB-000043788?language=en_US&c__displayLanguage=en_US

I have also tried doing an uninstall + fresh install using Sophos Zapp, but to no avail. 

I noticed that for this particular server, the docmodel directory from C:\Program Files\Sophos\Sophos ML Engine\ML1\ is empty. I am sure that this once contained several .dll and .dat files. 

Anyone have any ideas on what to try next? 



This thread was automatically locked due to age.
Parents
  • In \windows\temp\ if AutoUpdate has tried to install it, you should have a pair of logs. E.g.

    • Sophos ML Engine Install Log 20220306 173104
    • Sophos ML Engine Validator Log 20220306 173104

    Can you paste those?

  • Hi SophosUser930, 

    As per your request

    Sophos ML Engine Install Log 20220308 074314.txt : 

    Version: 1.8.7.1
    2022-03-08T07:43:14 CPluginComponent::Install: Installation starting
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Installing files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking for changes
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at source files in "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Looking at current files in "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16388810729236551"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "docmodel.dll" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "manifest.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "onnxruntime.dll" for copy as it is a DLL
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking "static_office.dat" for linking as it has not changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_pdf.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::detect_changes: Marking file "static_rtf.dat" for copy as it has changed
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Change detected - copying files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\docmodel.dll" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\manifest.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\onnxruntime.dll" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Linking "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_office.dat"
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_pdf.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::copy_files: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\docmodel\\static_rtf.dat" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 installer_lib::FileInstaller<class installer_lib::Filesystem>::run: Copying files succeeded
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::execute: Successfully installed files to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Copying "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: src: "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" exists
    2022-03-08T07:43:14 installer_lib::Filesystem::copy: dst: "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827" exists and is a directory
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully copied "C:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\decoded\\sme64\\SophosSMEValidator.exe" to "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validating
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Running validator "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\SophosSMEValidator.exe" "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator started
    2022-03-08T07:43:14 ml_installer::ModelValidator::Validate: Validator returned 3
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Validation Failed
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Removing "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 ml_installer::ValidateModelCommand<class installer_lib::Filesystem,class ml_installer::ModelValidator>::execute: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827\\SophosSMEValidator.exe"
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Removing files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::Filesystem::remove_all: Successfully removed "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 installer_lib::InstallFilesCommand<class installer_lib::FileInstaller<class installer_lib::Filesystem>,class installer_lib::Filesystem>::backout: Backing out: Successfully removed files from "C:\\Program Files\\Sophos\\Sophos ML Engine\\ML1\\docmodel\\16467433947398827"
    2022-03-08T07:43:14 CPluginComponent::Install: Installation failed

    Sophos ML Engine Validator Log 20220308 074314.txt ; 

    Version: 1.8.7.1
    2022-03-08T07:43:14 wWinMain: Command line: "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827"
    2022-03-08T07:43:14 `anonymous-namespace'::Startup: Successfully set search path using standard approach.
    2022-03-08T07:43:14 Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos
    2022-03-08T07:43:14 wWinMain: Validation failed

    Thanks for your help

  • this is the most significant line:

    Validate: File C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\16467433947398827\docmodel.dll not signed by Sophos.

    This is Sophos just calling the Microsoft API WinverifyTrust against the file in question and it is failing.  Evidence for this is in the CAPI2 Event log.

    If you visit:
    https://trusted-root-g4.chain-demos.digicert.com/

    on that computer, what happens?

    Do you see in the Certificates MMC (Computer account) the DigiCert Trusted Root G4 cert?

    If it's there are visiting https://trusted-root-g4.chain-demos.digicert.com/, does the next "Update now" complete?

    Also worth checking in the registry under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
    and
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

    ...don't have a DWORD registry value named DisableRootAutoUpdate set to 1.

  • Hi Sophos User930, for me it works now. After opening the trusted-root-link above without an error I could complete the Update Now successfully. Thanks a lot!

  • No problem, curious you hadn't got it. Looking at:
    Release notes - Microsoft Trusted Root Certificate Program

    The July update here:
    July 2020 Deployment Notice - Microsoft Trusted Root Program has:

    Digicert \ DigiCert Trusted Root G4 \ DDFB16CD4931C973A2037D3FC83A4D7D775D05E4


    Where DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 is the thumbprint so it's not super new.

    I can only think that visiting the site put it into the cert store.

    Thanks for the reply.

  • Hi SophosUser930,

    It's worked for me too !

    Thanks !

    Regards,

  • Worked for me. This probably saved me a lot fo time of going trough logs and debugging. Thanks!

    Info: We only had this Problems on Machines running Windows 2012 R2 so far, 2016 and 2019 worked so far without any problems.

Reply Children
  • Good to hear, I suppose, if you have LiveQuery:

    This query would show clients missing the cert:

    SELECT 'true' AS MissingDigicertG4Certificate

    WHERE NOT EXISTS

       (select 1 from certificates where

            store_location = 'LocalMachine' and

            store='Trusted Root Certification Authorities'

            and common_name='DigiCert Trusted Root G4'

        )

    You can even use the Authenticode table to "validate" the file in the same way as the installer.  The file should say "trusted" if all is OK as the result.

    select

    path as path,

    serial_number,

    issuer_name,

    subject_name,

    result

    from authenticode

    where path = "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sme64\docmodel\docmodel.dll"

    To remediate, over Live Response, the following commands should also fix it:

    mkdir C:\digicerttemp

    cd C:\digicerttemp

    certutil.exe -urlcache -f https://cacerts.digicert.com/DigiCertTrustedRootG4.crt C:\digicerttemp\DigiCertTrustedRootG4.crt

    certutil.exe -addstore root C:\digicerttemp\DigiCertTrustedRootG4.crt

    cd \

    rmdir digicerttemp /S /Q

    I've suggested using certutil to download the cert as Powershell 2 on older platforms so Invoke-webrequest is probably not available.

    Hope that helps.