This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scripted Install Question around mcsclient.exe

We're doing a scripted install using a scripted install of the full package as per https://community.sophos.com/kb/en-us/121318 and https://community.sophos.com/kb/hu-hu/120611

We have hundreds of machines and with some machines I'm seeing an alert that they've missed several updates.  When I check the machine it doesn't appear the Sophos services are installed, but mcsclient.exe is installed and running so the batch install script simply thinks "Yeah nothing to do here" and exits.

I have two questions:

1) As the install has got so far as to install and set mcsclient.exe to run, should mcsclient.exe go on to pull down the rest of the files and complete the install without any more intervention?

2) If not what is the solution please?

Thanks :)



This thread was automatically locked due to age.
Parents
  • Hi,

    If the computers are showing up in Central, that would suggest that they registered OK so it seems Management Communication System (MCS) is working at least to some extent.

    As Sophos AutoUpdate (SAU) must also have been installed, are you saying that you just have MCS and SAU on these computers?

    MCS should register and get an updating policy to configure SAU with credentials so SAU can pull and install the licensed software.

    Checks would be:

    1. Has the computer received an identity, i.e it has registered with Central. I would typically first check the MCS Client log file (C:\ProgramData\Sophos\Management Communications System\Endpoint\logs\) for the registration handshake (search down for identity), did it get an identity assigned (a GUID) and if the identity text file has been created under: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt.  
    Note: You should see that the GUID in there matches the URL of the computer back in Central.

    2. With that stage complete, did the client get an updating policy? The cached SAU policy would be here:
    "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\ALC\saupolicy".
    Evidence of the policy being applied by the MCS Agent to SAU would be the contents of:
    "C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg".
    Does it have the username and password set?

    Following the configuration of SAU by MCS, what does the SAU trace log say for an update - C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log?
    You should see at the start of the update, reference to the username:
    SDDSDownloader::SyncInternal Username: xxxxxxxx

    What goes on after that, any failures?

    The registry keys and sub-keys and values under:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\CloudSubscriptions
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\PolicyFeatures
    ...are also worth checking on these failing computers.

    If you manually run SophosInstall.exe (as downloaded from Central) on one of your computers, does that install and update as expected?
    If so I would compare the values and keys mentioned above so see how they differ.

    Regards,
    Jak

  • Hi, please excuse a hasty reply, just off out but..

    • Services installed are:
    • Sophos MCS Agent Sophos MCS Agent
      Sophos MCS Client Sophos MCS Client
    • No sign of a Sophos Update process or service.
    • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt so it looks like it's registered as it shows in the Central console as out of date with no services under status.
    • C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\ALC\saupolicy". doesn't exist
    • "C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg". doesn't exist just "cache" and "data" subfolders
    • C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log? doesn't exist
    • Didn't have chance to check the reg keys I'm afraid.

    I saw this on a few machines where I simply re-ran the installer and it installed correctly, but my point is it's a huge concern is the approved Sophos silent install script can say it's installed when it appears it isn't.

    I have no idea why they don't produce an MSI or something with a bit firmer "yes it has or no it hasn't" flag.

    I'll sit and do nothing on this client and see if it does eventually sort itself out but any other suggestions would be great.

  • And some hours later no change.  Ran sophosinstall.exe -q again and it installed fine.

    I suspect the Sophos installer doesn't deal elegantly with someone rebooting mid way through an install, and with a silent install this is something that surely has to be factored in?

Reply Children
  • Do you have the logs from an install where this has happened?

    Which component didn't survive?  

    The install is just a series of MSIs so Windows Installer should provides some guarantees.

    Regards,

    Jak

  • I think the issue the way I see it (and happy to be corrected) is that the only measure of whether the product is installed seems to be "is the file the install batch file is looking for present?"

    Now I've clearly had at least one machine where for whatever reason I could run that batch file 10,000 times a day and all it would say is "nothing to do, it's already installed" when for whatever reason it wasn't installed to the point of it actually working.

    That just doesn't feel like a particularly robust install process when you have hundreds of clients.

    If I was going to put in one feature request right now it would be to simply have an option remotely gather logs as it's just not practical in a large distributed environment to be having to track people down to remote to their PC to gather a log bundle.

    Should add, I actually do really like Sophos so far, hopefully this will get better as the Central product matures :)