Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 20 subscribers
  • Views 14805 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ML Engine (64-bit) failed to install

JC12X

Hello, 

I am new to Sophos and System Administration in general. 

Over the weekend, I got several notifications that some of my servers had failed to update Sophos.

Below are some error snippets I've identified from the installation log: %ProgramData%\Sophos\CloudInstaller\Logs\SophosCloudInstaller_<date>_<time>.log

Installing component: Sophos ML engine (64-bit)
IsWow64Process2 not available on older platforms.
...
W failed to install product 70FDD40E-986A-44E5-9620-2B894A06702A 1.8.7.1
su-setup: exit 1

SetupPluginCommand::onRun() failed with ComponentInstaller::InstallError:Failed to install component(s)
SetupPlugin completed with failure with reboot code '0' and error message 'could not install software'
Installation failed

I am pretty sure that the failure has to do with the Sophos ML Engine due to the above errors. 

I have already tried installing the new root certificates, and made sure that there weren't any misconfigurations in both registry and local/group policy as recommended in the article: https://support.sophos.com/support/s/article/KB-000043788?language=en_US&c__displayLanguage=en_US

I have also tried doing an uninstall + fresh install using Sophos Zapp, but to no avail. 

I noticed that for this particular server, the docmodel directory from C:\Program Files\Sophos\Sophos ML Engine\ML1\ is empty. I am sure that this once contained several .dll and .dat files. 

Anyone have any ideas on what to try next? 



This thread was automatically locked due to age.
  • 0 in reply to Mario_ap

    Good to hear, I suppose, if you have LiveQuery:

    This query would show clients missing the cert:

    SELECT 'true' AS MissingDigicertG4Certificate

    WHERE NOT EXISTS

       (select 1 from certificates where

            store_location = 'LocalMachine' and

            store='Trusted Root Certification Authorities'

            and common_name='DigiCert Trusted Root G4'

        )

    You can even use the Authenticode table to "validate" the file in the same way as the installer.  The file should say "trusted" if all is OK as the result.

    select

    path as path,

    serial_number,

    issuer_name,

    subject_name,

    result

    from authenticode

    where path = "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sme64\docmodel\docmodel.dll"

    To remediate, over Live Response, the following commands should also fix it:

    mkdir C:\digicerttemp

    cd C:\digicerttemp

    certutil.exe -urlcache -f https://cacerts.digicert.com/DigiCertTrustedRootG4.crt C:\digicerttemp\DigiCertTrustedRootG4.crt

    certutil.exe -addstore root C:\digicerttemp\DigiCertTrustedRootG4.crt

    cd \

    rmdir digicerttemp /S /Q

    I've suggested using certutil to download the cert as Powershell 2 on older platforms so Invoke-webrequest is probably not available.

    Hope that helps.

  • 0 in reply to Sophos User930

    Hi, User390

    Thanks for your comment here. 

    We also had trouble with some servers not updating and by checking the Cert concerned, I noticed this one was missing. 

    I exported it from the server which was ok and imported it simply in the others. 

    Works perfectly. 

    Best Regards

  • 0

    This was the second time that I have seen this error.

    The first time I had to do the procedure that Sophos_User930 recommended and it worked as normal.

    The second time now, when I visited the machine, it already had the G4 certificate on the server.

    I tried to restart the AutoUpdate service because I was having updating failures about this specific package.

    After restarting AutoUpdate, I noticed that it still didn't resolve the problem, therefor I reset the MCS Client service and after that it could connect successfully and did the download of the ML Engine.

    I'm not exactly sure what was wrong with this specific case but after I reset the MSC Client service, it updated the device status and could communicate correctly with Sophos Central.

    Posting it here as it may help other people out.

Unfiltered HTML