This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to clear Exploit Prevention Requires Restart error

Hi, after the recent Exploit Prevention update I am unable to get this error to clear from one of our Server 2012R2 servers.

Code: 000000c1

Description: Restart required for Sophos Exploit Prevention updates to take effect

The server has been rebooted multiple times and does not have anything like "fast start" enabled.

Thank you



This thread was automatically locked due to age.
  • Hi  

    What is the version of the exploit prevention it is showing? Is it the latest version?  Could you please check on any one of the endpoints, the registry key HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations as it stores the names of the files to renamed when the system restarts.

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Shweta,

    Exploit prevention version: 3.7.17

    That key has the following values:


    \??\C:\Windows\system32\spool\V4Dirs\6C4B6081-B01D-4CBD-B0BE-97CFAD921A14\9a072afe.BUD

    \??\C:\Windows\system32\spool\V4Dirs\6C4B6081-B01D-4CBD-B0BE-97CFAD921A14\9a072afe.gpd

    \??\C:\Windows\system32\spool\V4Dirs\6C4B6081-B01D-4CBD-B0BE-97CFAD921A14

    Should I just clear the values?

    Thanks

  • Hi  

    That is the latest version which is installed. If you acknowledge the alert from the dashboard and then reboot the server, see if it re-occurs. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thank you Shweta, but it does not show as an alert or alarm.  The console calls it a warning and do not see a way to acknowledge.

    Thanks

  • Hi  

    Could you please check under Sophos HitmanPro Alert install log and paste those logs here to check what is causing the issue? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • I do not know if something was changed, but the system showing this issue no longer shows as a warning in the console.  I am still getting email alerts about a system exceeding the critical updating period and it shows exploit prevention has not updated since the install date of the upgrade.

    Here is the relevant portion of the log found at "C:\ProgramData\HitmanPro.Alert\Logs".

    2020-07-18T06:29:33.804Z [VerifyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20200718062933
    2020-07-18T06:29:59.516Z [Service] System shutdown
    2020-07-18T06:29:59.518Z [Service] System shutdown flag created
    2020-07-18T06:29:59.519Z [Service] Stopping...
    2020-07-18T06:29:59.829Z [Service] Stopped
    2020-07-18T06:30:22.809Z [Service] Startup (build 321)
    2020-07-18T06:30:22.903Z [Service] Running
    2020-07-26T15:39:03.889Z [Service] System shutdown
    2020-07-26T15:39:03.892Z [Service] System shutdown flag created
    2020-07-26T15:39:03.892Z [Service] Stopping...
    2020-07-26T15:39:04.574Z [Service] Stopped
    2020-07-26T15:39:24.765Z [Service] Startup (build 321)
    2020-07-26T15:39:24.874Z [Service] Running
    2020-07-26T15:57:37.347Z [Service] System shutdown
    2020-07-26T15:57:37.347Z [Service] System shutdown flag created
    2020-07-26T15:57:37.348Z [Service] Stopping...
    2020-07-26T15:57:38.113Z [Service] Stopped
    2020-07-26T15:57:58.824Z [Service] Startup (build 321)
    2020-07-26T15:57:58.933Z [Service] Running
    2020-07-26T17:58:33.132Z [Service] System shutdown
    2020-07-26T17:58:33.132Z [Service] System shutdown flag created
    2020-07-26T17:58:33.132Z [Service] Stopping...
    2020-07-26T17:58:34.028Z [Service] Stopped
    2020-07-26T17:59:17.104Z [Service] Startup (build 321)
    2020-07-26T17:59:17.213Z [Service] Running
    2020-07-26T18:04:10.025Z [Service] System shutdown
    2020-07-26T18:04:10.026Z [Service] System shutdown flag created
    2020-07-26T18:04:10.026Z [Service] Stopping...
    2020-07-26T18:04:10.886Z [Service] Stopped
    2020-07-26T18:04:53.510Z [Service] Startup (build 321)
    2020-07-26T18:04:53.620Z [Service] Running

     

    Here is the most recent "Sophos HitmanPro Alert install log" from C:\Windows\Temp:

     

    a 2020-07-01 00:57:17.527 [3752:4740] - Beginning install
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: Validate it is NextGen endpoint
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: Validate the user is an admin
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: Validate that driver verifier is NOT enabled for HMPA.
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: Validate that HMPA is not pending reboot
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: HMPA install mode installer
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0)
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0, Mode, 5)
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: HMPA Hotfix Add/Remove Programs Uninstaller
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0C81FABA-4224-4C89-AB4B-F463CE24C53E}, 64)
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: HMPA Integrity installer
    a 2020-07-01 00:57:17.528 [3752:4740] - Executing step: CreateDirectory(C:\Program Files (x86)\HitmanPro.Alert)
    a 2020-07-01 00:57:17.529 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\integrity.dat, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-01 00:57:17.531 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2020-07-01 00:57:17.531 [3752:4740] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-01 00:57:17.531 [3752:4740] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2020-07-01 00:57:17.531 [3752:4740] - Executing step: HMPA app upgrader composite
    a 2020-07-01 00:57:17.531 [3752:4740] - Executing step: HMPA app upgrader
    a 2020-07-01 00:57:21.315 [3752:4740] - Reboot required by execute step: HMPA app upgrader
    a 2020-07-01 00:57:21.315 [3752:4740] - Reboot required by execute step: HMPA app upgrader composite
    a 2020-07-01 00:57:21.315 [3752:4740] - Executing step: HMPA file installer
    a 2020-07-01 00:57:21.468 [3752:4740] - Executing step: RegSvr32 (C:\Program Files (x86)\HitmanPro.Alert\ExploitPreventionPlugin.dll)
    a 2020-07-01 00:57:22.548 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32)
    a 2020-07-01 00:57:22.548 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32, EXPPlugin.EXPUIPlugin, 1493172224)
    a 2020-07-01 00:57:22.548 [3752:4740] - HMPA file installer: choose to run: HMPA installer over reboot
    a 2020-07-01 00:57:22.548 [3752:4740] - Executing step: CreateDirectory(C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder)
    a 2020-07-01 00:57:22.549 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\Adapter.dll, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\Adapter.dll)
    a 2020-07-01 00:57:22.550 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\Uninstall.exe, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\Uninstall.exe)
    a 2020-07-01 00:57:22.552 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\readme.txt, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\readme.txt)
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\scf.dat, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\scf.dat)
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: Telemetry installer over reboot
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: SAV UI plugin installer over reboot
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: Injection Registration installer
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: HMPA supplement file installer
    a 2020-07-01 00:57:22.553 [3752:4740] - Executing step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\drop)
    a 2020-07-01 00:57:22.554 [3752:4740] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\hmpalert.bf, C:\ProgramData\HitmanPro.Alert\drop\hmpalert.bf)
    a 2020-07-01 00:57:22.554 [3752:4740] - Executing step: HMPA alerter path registration
    a 2020-07-01 00:57:22.554 [3752:4740] - Executing step: SAU product key installer for {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    a 2020-07-01 00:57:22.554 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32)
    a 2020-07-01 00:57:22.554 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, CidFolderPath, hmpa64)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, ProductName, Sophos HitmanPro Alert)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: HMPA Telemetry installer
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Cmd, EXPTelem.exe)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Path, C:\Program Files (x86)\HitmanPro.Alert\EXPTelem.exe)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: HMPA Add/Remove Programs installer
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, AuthorizedCDPrefix, )
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Comments, Sophos CryptoGuard)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Contact, Sophos Technical Support)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayIcon, C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayName, Sophos CryptoGuard)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayVersion, 3.7.17.321)
    a 2020-07-01 00:57:22.555 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, EstimatedSize, 8788)
    a 2020-07-01 00:57:22.556 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, HelpLink, http://www.sophos.com/support)
    a 2020-07-01 00:57:22.556 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallDate, 20200630)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallLocation, C:\Program Files (x86)\HitmanPro.Alert)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallSource, )
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Language, 1033)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, ModifyPath, )
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, NoModify, 1)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, NoRepair, 1)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Publisher, Sophos Limited)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, UninstallString, "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe")
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, URLInfoAbout, http://www.sophos.com)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, VersionMajor, 3)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, VersionMinor, 7)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, SystemComponent, 0)
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: Reboot Required installer
    a 2020-07-01 00:57:22.557 [3752:4740] - Executing step: CreateVolatileRegistryKey(HKLM\SOFTWARE\HitmanPro.Alert\_volatile_, 0)
    a 2020-07-01 00:57:22.558 [3752:4740] - Executing step: SetRegistryValue(HKLM\SOFTWARE\HitmanPro.Alert\_volatile_, 0, RebootRequired, 1)
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: Validate it is NextGen endpoint
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: Validate the user is an admin
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: Validate that driver verifier is NOT enabled for HMPA.
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: Validate that HMPA is not pending reboot
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: HMPA install mode installer
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0)
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\hmpalert, 0, Mode, 5)
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: HMPA Hotfix Add/Remove Programs Uninstaller
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: DeleteRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0C81FABA-4224-4C89-AB4B-F463CE24C53E}, 64)
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: HMPA Integrity installer
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: CreateDirectory(C:\Program Files (x86)\HitmanPro.Alert)
    a 2020-07-01 00:57:22.558 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\integrity.dat, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: HMPA app upgrader composite
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: HMPA app upgrader
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: HMPA file installer
    a 2020-07-01 00:57:22.559 [3752:4740] - HMPA file installer: commit of: HMPA installer over reboot
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CreateDirectory(C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\Adapter.dll, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\Adapter.dll)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\Uninstall.exe, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\Uninstall.exe)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\readme.txt, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\readme.txt)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\scf.dat, C:\Program Files (x86)\HitmanPro.Alert\Update Adapter Folder\scf.dat)
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: Telemetry installer over reboot
    a 2020-07-01 00:57:22.559 [3752:4740] - Commit step: SAV UI plugin installer over reboot
    a 2020-07-01 00:57:22.559 [3752:4740] - SED MoveFile Scheduled: 00E87BB0 -> C:\Program Files (x86)\HitmanPro.Alert\Adapter.dll
    a 2020-07-01 00:57:22.560 [3752:4740] - SED MoveFile Scheduled: 00E87BB0 -> C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe
    a 2020-07-01 00:57:22.560 [3752:4740] - SED MoveFile Scheduled: 00E87BB0 -> C:\Program Files (x86)\HitmanPro.Alert\readme.txt
    a 2020-07-01 00:57:22.561 [3752:4740] - SED MoveFile Scheduled: 00E87BB0 -> C:\Program Files (x86)\HitmanPro.Alert\scf.dat
    a 2020-07-01 00:57:22.561 [3752:4740] - SED MoveFile Scheduled: 00E43560 -> DELETE
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: Injection Registration installer
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: HMPA supplement file installer
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\drop)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\hmpalert.bf, C:\ProgramData\HitmanPro.Alert\drop\hmpalert.bf)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: HMPA alerter path registration
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: SAU product key installer for {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, CidFolderPath, hmpa64)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, ProductName, Sophos HitmanPro Alert)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: HMPA Telemetry installer
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Cmd, EXPTelem.exe)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Path, C:\Program Files (x86)\HitmanPro.Alert\EXPTelem.exe)
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: HMPA Add/Remove Programs installer
    a 2020-07-01 00:57:22.562 [3752:4740] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, AuthorizedCDPrefix, )
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Comments, Sophos CryptoGuard)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Contact, Sophos Technical Support)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayIcon, C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayName, Sophos CryptoGuard)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, DisplayVersion, 3.7.17.321)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, EstimatedSize, 8788)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, HelpLink, http://www.sophos.com/support)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallDate, 20200630)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallLocation, C:\Program Files (x86)\HitmanPro.Alert)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, InstallSource, )
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Language, 1033)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, ModifyPath, )
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, NoModify, 1)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, NoRepair, 1)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, Publisher, Sophos Limited)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, UninstallString, "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe")
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, URLInfoAbout, http://www.sophos.com)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, VersionMajor, 3)
    a 2020-07-01 00:57:22.563 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, VersionMinor, 7)
    a 2020-07-01 00:57:22.564 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}, 64, SystemComponent, 0)
    a 2020-07-01 00:57:22.564 [3752:4740] - Commit step: Reboot Required installer
    a 2020-07-01 00:57:22.564 [3752:4740] - Commit step: CreateVolatileRegistryKey(HKLM\SOFTWARE\HitmanPro.Alert\_volatile_, 0)
    a 2020-07-01 00:57:22.564 [3752:4740] - Commit step: SetRegistryValue(HKLM\SOFTWARE\HitmanPro.Alert\_volatile_, 0, RebootRequired, 1)
    a 2020-07-01 00:57:22.564 [3752:4740] - Action was successful, reboot is requested

     

    Here is the most recent "Sophos HitmanPro Alert Supplement install log":

     

    a 2020-07-30 08:09:59.810 [4676:4952] - Beginning install
    a 2020-07-30 08:09:59.811 [4676:4952] - Executing step: Validate it is NextGen endpoint
    a 2020-07-30 08:09:59.811 [4676:4952] - Executing step: Validate the user is an admin
    a 2020-07-30 08:09:59.811 [4676:4952] - Executing step: Validate that driver verifier is NOT enabled for HMPA.
    a 2020-07-30 08:09:59.811 [4676:4952] - Executing step: Validate that HMPA is not pending reboot
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: HMPA Integrity installer
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: HMPA supplement file installer
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\drop)
    a 2020-07-30 08:09:59.812 [4676:4952] - Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\hmpalert.bf, C:\ProgramData\HitmanPro.Alert\drop\hmpalert.bf)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SAU product key installer for {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, CidFolderPath, hmpa64)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, ProductName, Sophos HitmanPro Alert)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: HMPA Telemetry installer
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Cmd, EXPTelem.exe)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Path, C:\Program Files (x86)\HitmanPro.Alert\EXPTelem.exe)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32)
    a 2020-07-30 08:09:59.813 [4676:4952] - Executing step: SetRegistryValue(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32, EXPPlugin.EXPUIPlugin, 1493172224)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: Validate it is NextGen endpoint
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: Validate the user is an admin
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: Validate that driver verifier is NOT enabled for HMPA.
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: Validate that HMPA is not pending reboot
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: HMPA Integrity installer
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, IntegrityPath, C:\Program Files (x86)\HitmanPro.Alert\integrity.dat)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HMPA, 0, Enable, 1)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: HMPA supplement file installer
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CreateDirectory(C:\ProgramData\HitmanPro.Alert\drop)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\cache\hmpa64\hmpalert.bf, C:\ProgramData\HitmanPro.Alert\drop\hmpalert.bf)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SAU product key installer for {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, CidFolderPath, hmpa64)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\AutoUpdate\Products\{244E68BF-E1BB-4A6B-AC18-A492DE0134C0}, 32, ProductName, Sophos HitmanPro Alert)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: HMPA Telemetry installer
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Cmd, EXPTelem.exe)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\Telemetry\Plugins\EXP, 32, Path, C:\Program Files (x86)\HitmanPro.Alert\EXPTelem.exe)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: CreateRegistryKey(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32)
    a 2020-07-30 08:09:59.814 [4676:4952] - Commit step: SetRegistryValue(HKLM\SOFTWARE\Sophos\SAVService\SAVUI\plugins, 32, EXPPlugin.EXPUIPlugin, 1493172224)
    a 2020-07-30 08:09:59.814 [4676:4952] - Action was successful, reboot is not required

     

     

    At this point I am leaning towards contacting the system owner and doing a reinstall.

     

    Thanks

  • Hi  

    From the logs it shows that " Action was successful, a reboot is not required", please re-install it once and see how it goes. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Well, it appears to be resolved now.

    I uninstalled the agent and rebooted.  The startup script (I found on this forum, only difference is I included exploit prevention) applied with a GPO did not reinstall the agent.  I did not dig into which part of it was not working since I really do not have the time for this at the moment.  The script can be found at the bottom of this post.

    I installed the agent with the command from the startup script.  Updated and rebooted.

    Now I had the system policy is out of compliance from the console side.  I clicked all the various update and compliance options in the console and updated the agent several times.  I rebooted the server two or three more times.

    I ended up deleting the server from the console and ran a script to delete the client registry keys that identify it in the console.  I was able to get the policy to sync after this.  Now I am wondering if this is what I should have done in the first place instead of reinstalling the agent.

    Was this possibly something involving the Enterprise Console database?

    I would also be interested in hearing any feedback you may have regarding the client reset script (am I missing any keys?) and what you may think is wrong with the install startup script.

    Thank you

     

     

    Here is the script I wrote to clear these registry keys:

     

    [array]$servicesToStop =
    "Sophos Message Router",
    "Sophos Agent",
    "Sophos AutoUpdate Service"

    foreach($service in $servicesToStop){

    Stop-Service -Name $service
    }

    $key1 = "HKLM:\Software\wow6432node\Sophos\Messaging System\Router\Private\"
    $key2 = "HKLM:\Software\wow6432node\Sophos\Remote Management System\ManagementAgent\Private\"
    $key3 = "HKLM:\Software\wow6432node\Sophos\Messaging System\Router\"

    Remove-ItemProperty -Path $key1 -Name PKC
    Remove-ItemProperty -Path $key1 -Name PKP
    Remove-ItemProperty -Path $key2 -Name PKC
    Remove-ItemProperty -Path $key2 -Name PKP
    Remove-ItemProperty -Path $key3 -Name NotifyClientUpdate

    Remove-Item "C:\Program Files\Sophos\AutoUpdate\machine_ID.txt" -ErrorAction SilentlyContinue
    Remove-Item "C:\Program Files\Sophos\AutoUpdate\data\machine_ID.txt" -ErrorAction SilentlyContinue
    Remove-Item "C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt" -ErrorAction SilentlyContinue

    foreach($service in $servicesToStop){

    Start-Service -Name $service
    }

     

    Here is the startup script that does not work on systems that once had the agent and then had it uninstalled:

    @echo off
    REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End

    REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End

    REM --- Check for an existing installation of Sophos Anti-Virus on 2003/XP (the SAV adapter config file)
    IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End

    REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)
    IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End

    REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
    \\netlogon\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe -updp "\\netlogon\SophosUpdate\CIDs\S000\SAVSCFXP" setup.exe -ouser "" -opwd "" -mng yes -hmpa

    REM --- End of the script
    :_End