Sophos client update failed - Getting error code 00000067

Hi Team, Getting below error

Getting error code 00000067 and shows updating failed on client end

Install from:[C:\ProgramData\Sophos\AutoUpdate\cache\rms]
Install to  :[(null)]
RMS: Current product is not installed.
TP: Successfully requested Sophos Endpoint Defense disable tamper protection of RMS.
MsiPackagePath: [C:\ProgramData\Sophos\AutoUpdate\cache\rms\Sophos Remote Management System.msi].
Result of loading C:\Program Files (x86)\Sophos\AutoUpdate\SAUConfigDLL.dll is: [61640000]
Installation canceled - RMS will be managed only by the SUM installer.
CopyPrerequisite(from=C:\ProgramData\Sophos\AutoUpdate\cache\rms\,                 to  =C:\Program Files (x86)\Sophos\Remote Management System,                 file=mrinit.conf)
Missing source file `C:\ProgramData\Sophos\AutoUpdate\cache\rms\mrinit.conf`
, nothing to do.
Applying MrInit.conf settings: [ClientMRInit.exe] [-logPath "C:\Windows\Temp" -filePath "C:\Program Files (x86)\Sophos\Remote Management System" -update]
RMS: Failed to execute C:\Program Files (x86)\Sophos\Remote Management System\ClientMRInit.exe
TP: Successfully registered for tamper protection with Sophos Endpoint Defense.

Parents
  • Hello Sateesh simpi,

    Installation canceled - RMS will be managed only by the SUM installer. suggests this is not your average endpoint (or client) but a SUM.

    0x00000067 is a generic error code, I assume the accompanying message mentioned RMS and that's why you've posted the RMS Install log. The problem is that mrinit.conf is neither in the AutoUpdate cache nor in the RMS program directory.
    Do you see the 0x00000067 in the Console? Then RMS has likely worked at some time and the question is what happened since then. Otherwise please give some more details.

    Christian

  • Thanks for your inputs,

    Yes the error message can see in the console with 0x00000067 , Its shows falling to update. AV re-installed but still shows same error. 

  • Hello Sateesh simpi,

    does the endpoint appear connected in SEC and do you get these message constantly (if you View Computer Details)?  It looks like RMS doesn't appear to be installed but is nevertheless running.
    Thus is a normal endpoint with just the Endpoint software installed, isn't it? It did update for some time and suddenly reports the error? Is RMS listed under Programs and Features?

    Christian  .

  • Yes endpoint appear in the SEC, but it show as error in the alerts and errors tab, this error is is there constantly. if we check on view computer details , its shows in the descriptions as -failed to install SAVXP unexpected system error. 

    Its there in feature and program, but service is not running, when try to start gives error 1053. 

    Please advise any solutions. tried to reinstall but its same issue still.

  • Hello  Sateesh simpi,

    failed to install SAVXP
    so SAVXP is (also) failing to install? Please check with the local GUI (or the ALUpdate log) which components (SAVXP, RMS, ...) fail to install. The respective Install (or in case of SAVXP potentially the Uninstall) logs should have the error details.
    The reason for the 1053 might be in the Windows Application Event log, it's likely related to the failed install.

    Did you already reboot the endpoint (in some cases it is necessary when you tried to reinstall)?

    Christian

  • I can see below logs on client GUI, endpoint rebooted as well to see it can fix, but not fixing the issue after reboot also

    Time: 6/11/2021 13:31:21
    Message: AutoUpdate finished
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:31:20
    Message: Installation of Sophos AutoUpdate skipped
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:31:20
    Message: Installation of Sophos Network Threat Protection skipped
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:31:20
    Message: Installation of product SAVXP failed because of an unexpected error
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10432

    Time: 6/11/2021 13:30:48
    Message: Installing Product SAVXP
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10432

    Time: 6/11/2021 13:30:48
    Message: Installation of RMSNT skipped
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:30:48
    Message: Installation of Sophos Endpoint Defense skipped
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:30:48
    Message: Installation of Sophos System Protection skipped
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

    Time: 6/11/2021 13:30:48
    Message: Downloading phase completed
    Module: ALUpdate
    Process ID: 9288
    Thread ID: 10188

  • Hello  Sateesh simpi,

    thanks, shows that it's "just" SAVXP so its logs should have the details. Check the Sophos Anti-Virus (Major) Install first (please see the How to troubleshoot article). If it mentions a failed uninstall you'd (naturally) have to check the Uninstall log.

    Christian

  • Yeah can see below major install logs,

    2021-06-11 16:50:45 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-11 16:50:45 Info: Detected version of SAV has major version number: 10
    2021-06-11 16:50:45 Info: Using Sophos updating modes (MSI: N, VDL: 2, IDE: 2)
    2021-06-11 16:50:45 GetProperty() - Unable to get product-type
    2021-06-11 16:50:45 Info: productType: 0
    2021-06-11 16:50:45 PROCESSOR_ARCHITECTURE environment variable is: AMD64
    2021-06-11 16:50:45 Info: Logging started: installing/upgrading Sophos Anti-Virus
    2021-06-11 16:50:45 Info: InstallFromPath is: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\
    2021-06-11 16:50:45 Info: InstallToPath is:
    2021-06-11 16:50:45 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-11 16:50:45 Info: Detected version of SAV has major version number: 10
    2021-06-11 16:50:45 Info: Detected version of SAV has minor version number: 8
    2021-06-11 16:50:45 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
    2021-06-11 16:50:45 Info: registryInstallTo [overriding InstallToPath] is:
    2021-06-11 16:50:45 Checking for problem versions of SAVI - Install path:
    2021-06-11 16:50:45 Veex.dll version ''
    2021-06-11 16:50:45 INFO: Checking the validity of the VDL manifest file.
    2021-06-11 16:50:46 INFO: The manifest file has been successfully validated.
    2021-06-11 16:50:46 INFO: Checking the validity of the AppFeed manifest file.
    2021-06-11 16:50:46 INFO: The manifest file has been successfully validated.
    2021-06-11 16:50:46 Info: Install source location passed to ReadCatalog() is empty. Reverting to a full update.
    2021-06-11 16:50:46 Info: Feature change, From: 'AV,CRT,HIPS,PUA,URLSCRTY' To: 'AV,CRT,DLP,DVCCNTRL,HIPS,PUA,URLSCRTY,WEBCNTRL'
    2021-06-11 16:50:46 Info: Managed install (from SAU)
    2021-06-11 16:50:46 Info: MSXML6 is installed
    2021-06-11 16:50:46 Check for UI changes
    2021-06-11 16:50:46 Unable to open SAV application key
    2021-06-11 16:50:46 Unable to open SAV application key
    2021-06-11 16:50:46 Checking the integrity of the extant SAV installation (noUI is 0)
    2021-06-11 16:50:46 The file \WSCClient.exe does not exist(2d)
    2021-06-11 16:50:46 The file \SavService.exe does not exist(2d)
    2021-06-11 16:50:46 The file \SavAdminService.exe does not exist(2d)
    2021-06-11 16:50:46 The file \BackgroundScanClient.exe does not exist(2d)
    2021-06-11 16:50:46 The file \ComponentManager.dll does not exist(2d)
    2021-06-11 16:50:46 The file \ICAdapter.dll does not exist(2d)
    2021-06-11 16:50:46 The file \ICManagement.dll does not exist(2d)
    2021-06-11 16:50:46 The file \ICProcessors.dll does not exist(2d)
    2021-06-11 16:50:46 The file \ThreatDetection.dll does not exist(2d)
    2021-06-11 16:50:46 The file \VirusDetection.dll does not exist(2d)
    2021-06-11 16:50:46 The file \SavControl.dll does not exist(2d)
    2021-06-11 16:50:46 The file \SavMain.exe does not exist(2d)
    2021-06-11 16:50:46 The file \SavProgress.exe does not exist(2d)
    2021-06-11 16:50:46 The file \DesktopMessaging.dll does not exist(2d)
    2021-06-11 16:50:46 The file \SavShellExt.dll does not exist(2d)
    2021-06-11 16:50:46 There is an incomplete SAV installation, forcing a Major Update to recover
    2021-06-11 16:50:46 One or more callout driver files are missing - forcing re-install of SAV
    2021-06-11 16:50:46 Info: Performing major update of Sophos Anti-Virus using msi.
    2021-06-11 16:50:46 Info: Update is signalled.
    2021-06-11 16:50:46 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-11 16:50:46 In KB2918614Workaround().
    2021-06-11 16:50:46 Leaving KB2918614Workaround().
    2021-06-11 16:50:46 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-11 16:50:46 Product code of SAV currently installed: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-11 16:50:46 Product code of SAV to be installed: {84748F71-7BF1-4F73-9340-D0785F4B0197}
    2021-06-11 16:50:46 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
    2021-06-11 16:50:46 ProductCode change detected
    2021-06-11 16:50:46 Info: Added SAVService to ServicesList.
    2021-06-11 16:50:46 Info: Added SAVAdminService to ServicesList.
    2021-06-11 16:50:46 Info: Added Sophos Device Control Service to ServicesList.
    2021-06-11 16:50:46 Info: Added SophosBootDriver to ServicesList.
    2021-06-11 16:50:46 Info: Added swi_service to ServicesList.
    2021-06-11 16:50:46 Info: Added swi_filter to ServicesList.
    2021-06-11 16:50:46 Info: Added swi_callout to ServicesList.
    2021-06-11 16:50:46 Info: Added swi_update to ServicesList.
    2021-06-11 16:50:46 Info: Added swi_update_64 to ServicesList.
    2021-06-11 16:50:46 Info: Added Sophos Web Control Service to ServicesList.
    2021-06-11 16:50:46 Info: Added SAVOnAccess to ServicesList.
    2021-06-11 16:50:46 Info: Added SAV to ComponentList.
    2021-06-11 16:50:46 Info: component SDC is not registered - skipping.
    2021-06-11 16:50:46 Info: component SCS is not registered - skipping.
    2021-06-11 16:50:46 Info: Added SWI to ComponentList.
    2021-06-11 16:50:46 Info: Added SWC to ComponentList.
    2021-06-11 16:50:46 Info: Detected an older version of SAV, version 10.8. Doing a major update.
    2021-06-11 16:50:46 Info: Set Update Begin
    2021-06-11 16:51:16 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80080005)
    2021-06-11 16:51:16 Info: Added SAVService to ServicesList.
    2021-06-11 16:51:16 Info: Added SAVAdminService to ServicesList.
    2021-06-11 16:51:16 Info: Sophos Device Control Service was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: SophosBootDriver was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: swi_service was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: swi_filter was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: swi_callout was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: swi_update was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: swi_update_64 was found to not be installed - skipping.
    2021-06-11 16:51:16 Info: Added Sophos Web Control Service to ServicesList.
    2021-06-11 16:51:16 Info: All services reported they accept stop controls.
    2021-06-11 16:51:16 Info: Stop SAVService
    2021-06-11 16:51:16 ForceStopService: Stopping SAVService
    2021-06-11 16:51:16 ForceStopService: Checking if service is still running
    2021-06-11 16:51:16 WaitForSAVService: Walking system processes...
    2021-06-11 16:51:16 WaitForSAVService: Finished walking system processes.
    2021-06-11 16:51:16 Info: Stop SAVAdminService
    2021-06-11 16:51:16 ForceStopService: Stopping SAVAdminService
    2021-06-11 16:51:16 ForceStopService: Checking if service is still running
    2021-06-11 16:51:16 Unregistering from SecurityCenter
    2021-06-11 16:51:16 CWCSAPIProvider: Windows security center service is not installed

    2021-06-11 16:51:16 CWCSAPIProvider: Windows security center service is not installed

    2021-06-11 16:51:16 Info: unloading SAVOnAccess driver
    2021-06-11 16:51:16 UnloadFilterDriver: Driver not loaded, count = 1
    2021-06-11 16:51:16 Info: Convert boot tasks
    2021-06-11 16:51:16 Info: CopyFilesToTemp
    2021-06-11 16:51:16 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
    2021-06-11 16:51:16 Warning: configuration will not be preserved
    2021-06-11 16:51:16 Info: Backup threat lifetime data
    2021-06-11 16:51:16 WARNING: could not backup the threat lifetime data. Could not copy key: The system cannot find the file specified.

    2021-06-11 16:51:16 Info: Create backup copy of WSCClient
    2021-06-11 16:51:16 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
    2021-06-11 16:51:16 ERROR: Failed to get current install location to register with tamper protection. Error 0x80070002
    2021-06-11 16:51:16 ERROR: Failed to update the major update counters (The result of the last run has not been set)

  • Hello Sateesh simpi,

    this isn't all of the log, is it? Or does it really end at this point?

    Christian

Reply Children
  • Yeah its updates logs, see all logs below, please advise

    2021-06-14 16:11:25 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-14 16:11:25 Info: Detected version of SAV has major version number: 10
    2021-06-14 16:11:25 Info: Using Sophos updating modes (MSI: N, VDL: 2, IDE: 2)
    2021-06-14 16:11:25 GetProperty() - Unable to get product-type
    2021-06-14 16:11:25 Info: productType: 0
    2021-06-14 16:11:25 PROCESSOR_ARCHITECTURE environment variable is: AMD64
    2021-06-14 16:11:25 Info: Logging started: installing/upgrading Sophos Anti-Virus
    2021-06-14 16:11:25 Info: InstallFromPath is: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\
    2021-06-14 16:11:25 Info: InstallToPath is:
    2021-06-14 16:11:25 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-14 16:11:25 Info: Detected version of SAV has major version number: 10
    2021-06-14 16:11:25 Info: Detected version of SAV has minor version number: 8
    2021-06-14 16:11:25 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
    2021-06-14 16:11:25 Info: registryInstallTo [overriding InstallToPath] is:
    2021-06-14 16:11:25 Checking for problem versions of SAVI - Install path:
    2021-06-14 16:11:25 Veex.dll version ''
    2021-06-14 16:11:25 INFO: Checking the validity of the VDL manifest file.
    2021-06-14 16:11:26 INFO: The manifest file has been successfully validated.
    2021-06-14 16:11:26 INFO: Checking the validity of the AppFeed manifest file.
    2021-06-14 16:11:26 INFO: The manifest file has been successfully validated.
    2021-06-14 16:11:26 Info: Install source location passed to ReadCatalog() is empty. Reverting to a full update.
    2021-06-14 16:11:26 Info: Feature change, From: 'AV,CRT,HIPS,PUA,URLSCRTY' To: 'AV,CRT,DLP,DVCCNTRL,HIPS,PUA,URLSCRTY,WEBCNTRL'
    2021-06-14 16:11:26 Info: Managed install (from SAU)
    2021-06-14 16:11:26 Info: MSXML6 is installed
    2021-06-14 16:11:26 Check for UI changes
    2021-06-14 16:11:26 Unable to open SAV application key
    2021-06-14 16:11:26 Unable to open SAV application key
    2021-06-14 16:11:26 Checking the integrity of the extant SAV installation (noUI is 0)
    2021-06-14 16:11:26 The file \WSCClient.exe does not exist(2d)
    2021-06-14 16:11:26 The file \SavService.exe does not exist(2d)
    2021-06-14 16:11:26 The file \SavAdminService.exe does not exist(2d)
    2021-06-14 16:11:26 The file \BackgroundScanClient.exe does not exist(2d)
    2021-06-14 16:11:26 The file \ComponentManager.dll does not exist(2d)
    2021-06-14 16:11:26 The file \ICAdapter.dll does not exist(2d)
    2021-06-14 16:11:26 The file \ICManagement.dll does not exist(2d)
    2021-06-14 16:11:26 The file \ICProcessors.dll does not exist(2d)
    2021-06-14 16:11:26 The file \ThreatDetection.dll does not exist(2d)
    2021-06-14 16:11:26 The file \VirusDetection.dll does not exist(2d)
    2021-06-14 16:11:26 The file \SavControl.dll does not exist(2d)
    2021-06-14 16:11:26 The file \SavMain.exe does not exist(2d)
    2021-06-14 16:11:26 The file \SavProgress.exe does not exist(2d)
    2021-06-14 16:11:26 The file \DesktopMessaging.dll does not exist(2d)
    2021-06-14 16:11:26 The file \SavShellExt.dll does not exist(2d)
    2021-06-14 16:11:26 There is an incomplete SAV installation, forcing a Major Update to recover
    2021-06-14 16:11:26 One or more callout driver files are missing - forcing re-install of SAV
    2021-06-14 16:11:26 Info: Performing major update of Sophos Anti-Virus using msi.
    2021-06-14 16:11:26 Info: Update is signalled.
    2021-06-14 16:11:26 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-14 16:11:26 In KB2918614Workaround().
    2021-06-14 16:11:26 Leaving KB2918614Workaround().
    2021-06-14 16:11:26 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-14 16:11:26 Product code of SAV currently installed: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2021-06-14 16:11:26 Product code of SAV to be installed: {84748F71-7BF1-4F73-9340-D0785F4B0197}
    2021-06-14 16:11:26 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
    2021-06-14 16:11:26 ProductCode change detected
    2021-06-14 16:11:26 Info: Added SAVService to ServicesList.
    2021-06-14 16:11:26 Info: Added SAVAdminService to ServicesList.
    2021-06-14 16:11:26 Info: Added Sophos Device Control Service to ServicesList.
    2021-06-14 16:11:26 Info: Added SophosBootDriver to ServicesList.
    2021-06-14 16:11:26 Info: Added swi_service to ServicesList.
    2021-06-14 16:11:26 Info: Added swi_filter to ServicesList.
    2021-06-14 16:11:26 Info: Added swi_callout to ServicesList.
    2021-06-14 16:11:26 Info: Added swi_update to ServicesList.
    2021-06-14 16:11:26 Info: Added swi_update_64 to ServicesList.
    2021-06-14 16:11:26 Info: Added Sophos Web Control Service to ServicesList.
    2021-06-14 16:11:26 Info: Added SAVOnAccess to ServicesList.
    2021-06-14 16:11:26 Info: Added SAV to ComponentList.
    2021-06-14 16:11:26 Info: component SDC is not registered - skipping.
    2021-06-14 16:11:26 Info: component SCS is not registered - skipping.
    2021-06-14 16:11:26 Info: Added SWI to ComponentList.
    2021-06-14 16:11:26 Info: Added SWC to ComponentList.
    2021-06-14 16:11:26 Info: Detected an older version of SAV, version 10.8. Doing a major update.
    2021-06-14 16:11:26 Info: Set Update Begin
    2021-06-14 16:11:56 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80080005)
    2021-06-14 16:11:56 Info: Added SAVService to ServicesList.
    2021-06-14 16:11:56 Info: Added SAVAdminService to ServicesList.
    2021-06-14 16:11:56 Info: Sophos Device Control Service was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: SophosBootDriver was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: swi_service was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: swi_filter was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: swi_callout was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: swi_update was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: swi_update_64 was found to not be installed - skipping.
    2021-06-14 16:11:56 Info: Added Sophos Web Control Service to ServicesList.
    2021-06-14 16:11:56 Info: All services reported they accept stop controls.
    2021-06-14 16:11:56 Info: Stop SAVService
    2021-06-14 16:11:56 ForceStopService: Stopping SAVService
    2021-06-14 16:11:56 ForceStopService: Checking if service is still running
    2021-06-14 16:11:56 WaitForSAVService: Walking system processes...
    2021-06-14 16:11:56 WaitForSAVService: Finished walking system processes.
    2021-06-14 16:11:56 Info: Stop SAVAdminService
    2021-06-14 16:11:56 ForceStopService: Stopping SAVAdminService
    2021-06-14 16:11:56 ForceStopService: Checking if service is still running
    2021-06-14 16:11:56 Unregistering from SecurityCenter
    2021-06-14 16:11:56 CWCSAPIProvider: Windows security center service is not installed

    2021-06-14 16:11:56 CWCSAPIProvider: Windows security center service is not installed

    2021-06-14 16:11:56 Info: unloading SAVOnAccess driver
    2021-06-14 16:11:56 UnloadFilterDriver: Driver not loaded, count = 1
    2021-06-14 16:11:56 Info: Convert boot tasks
    2021-06-14 16:11:56 Info: CopyFilesToTemp
    2021-06-14 16:11:56 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
    2021-06-14 16:11:56 Warning: configuration will not be preserved
    2021-06-14 16:11:56 Info: Backup threat lifetime data
    2021-06-14 16:11:56 WARNING: could not backup the threat lifetime data. Could not copy key: The system cannot find the file specified.

    2021-06-14 16:11:56 Info: Create backup copy of WSCClient
    2021-06-14 16:11:56 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
    2021-06-14 16:11:56 ERROR: Failed to get current install location to register with tamper protection. Error 0x80070002
    2021-06-14 16:11:56 ERROR: Failed to update the major update counters (The result of the last run has not been set)

  • Hello Sateesh simpi,

    the log always stops at this point? There's not really an indication in the log that the installation failed. Haven't seen this behaviour (or if I can't remember). The ALUpdate log would show whether the setup returns immediately at this point though probably there's no additional information.

    Strange thing is that the setup plugin claims that Windows security center service is not installed.  Is this indeed the case? Dunno what this signifies. setup is apparently prepared as it has an associated message.

    You said that SAVXP (Sophos Anti-Virus) appears in Programs and Features (likely version 10.8.9). Have you tried to uninstall it?

    Christian

  • When am trying to un-install getting  error 1721.