This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Brand New Install, issues with updating

So I have had a quick browse though other forum posts and I notice several have similar issues but I could find an exact copy of my issues.

First to clarify, this is a fresh installation of Sophos Enterprise Control, and currently installing the Endpoint client to a few test systems.  The Update manager within the console appears to be updating correctly.  If I check the details I see no error codes, and gives me a time and date of the last successful download (in my case 10 minutes ago)

I can confirm that I am able to access the SophosUpdate share from all workstations.  I can install the client fine by right clicking on computers within the console, but a short while later If I look at the Endpoint client on the workstation I see the error

"Updating: Failed"

If I click update now and watch the status, if its a fresh install it will download several packages, or if already downloading it will say "no files needed updating" (all suggesting it is checking the network share correctly).  There are 7 packages in total it tries to update all from the same source yet 3 or 4 of them fail.  You can see below the update log, it connects fine to the share for some of the packages, but then fails for others even though its the exact same share location.

 

Time: 06/12/2016 16:43:33
Message: AutoUpdate finished
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:32
Message: Installation of Sophos System Protection skipped
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Installation of Sophos AutoUpdate skipped
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Installation of Sophos Network Threat Protection skipped
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Installation of SAVXP skipped
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Installation of RMSNT skipped
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Downloading phase completed
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Product cache update from primary server successfully finished
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:31
Message: Downloading product Sophos System Protection from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:30
Message: Product cache update from primary server successfully finished
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:30
Message: Downloading product Sophos AutoUpdate from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:29
Message: Product cache update from primary server successfully finished
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:29
Message: Downloading product Sophos Network Threat Protection from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:28
Message: Could not connect to the server. Check that this computer is connected to the network and that Sophos AutoUpdate is configured to update from the correct location with the correct credentials and proxy details (if required)
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:28
Message: Downloading product Sophos HitmanPro Alert from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:27
Message: Could not connect to the server. Check that this computer is connected to the network and that Sophos AutoUpdate is configured to update from the correct location with the correct credentials and proxy details (if required)
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:27
Message: Downloading product Sophos Endpoint Agent from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:26
Message: Product cache update from primary server successfully finished
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:26
Message: Downloading product SAVXP from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:25
Message: Product cache update from primary server successfully finished
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:25
Message: Downloading product RMSNT from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\
Module: CIDUpdate
Process ID: 4824
Thread ID: 13092

Time: 06/12/2016 16:43:25
Message: *************** Sophos AutoUpdate started ***************
Module: ALUpdate
Process ID: 4824
Thread ID: 13092

 

 

If I look on the console, sometimes (not always weirdly) There is a log "Download of sophos HitmanPro Alert failed from server \\SERVERNANME\SophosUpdate\CIDs\S000\SAVSCFXP\ [0x0000006b]

 

You can see in the client log this file fails, but so do others aswell but non of those are ever logged on the console?



This thread was automatically locked due to age.
Parents
  • Hello Jeremy Brook,

    as far as I can see the erros are for Hitman Pro and Endpoint Agent (not sure right now what the latter is), the former now called Intercept-X if I'm correct and AFAIK not yet available for the on-premise SEC. Is this a trial license?

    As far as the regular components are concerned everything looks fine - no download errors, and Installation skipped indicates that last time there were some changes the installation was successful.

    Christian

  • This is a purchased subscription for "Endpoint Protection - Advanced 2"

    When I log in it shows me downloads specific to my subscription.  The console version was 5.4.1 and the file was sec_541_sfx.exe 708Mb

    To deploy the endpoints I am simply right clicking on a computer from within the console and choose "protect computer" this then rolls out the install.  I also have the option of running setup from the shared directory.

    If these Applications such as Hitman Pro and Endpoint agents no longer exist or are not part of the SEC then this all suggests there is a bug in this version of the console as it wants to install it but the necessary files are not part of the share.

    I have had a look through the shared directory and within their there are several subfolders for each package of sophos and there doesn't seem to be one for hitman pro (and others).

    My thoughts at the moment is that there is some sort of conflict between the older cloud based sophos and the sophos managed via SEC.  All the test machines had the cloud version install, but this was removed prior to installing the SEC version.  You mention Hitman Pro agents are not part of SEC but could it have part of the cloud version and this is causing an issue with the autoupdater?

Reply
  • This is a purchased subscription for "Endpoint Protection - Advanced 2"

    When I log in it shows me downloads specific to my subscription.  The console version was 5.4.1 and the file was sec_541_sfx.exe 708Mb

    To deploy the endpoints I am simply right clicking on a computer from within the console and choose "protect computer" this then rolls out the install.  I also have the option of running setup from the shared directory.

    If these Applications such as Hitman Pro and Endpoint agents no longer exist or are not part of the SEC then this all suggests there is a bug in this version of the console as it wants to install it but the necessary files are not part of the share.

    I have had a look through the shared directory and within their there are several subfolders for each package of sophos and there doesn't seem to be one for hitman pro (and others).

    My thoughts at the moment is that there is some sort of conflict between the older cloud based sophos and the sophos managed via SEC.  All the test machines had the cloud version install, but this was removed prior to installing the SEC version.  You mention Hitman Pro agents are not part of SEC but could it have part of the cloud version and this is causing an issue with the autoupdater?

Children
  • Hello Jeremy,

    AFAIK Hitman Pro is rebranded to Intercept X - currently in Beta for the Central version, Beta for on-premise SEC next year. So it's not discontinued but rather coming soon (as additional product but managed by SEC).
    Did you ever use it on your Central managed endpoints (though I think there shouldn't be any leftovers causing AutoUpdate to try to download it). And as said it's not yet available for SEC. Guess you'd see it as extra product (in addition to the different platform products) under subscriptions. Is there an associated policy section?

    Christian

  • Just to let you know I only just installed the cloud version using sophos central maybe 2 weeks ago, I then decided to move to SEC because I found my license wasn't transferable and SEC is much better for client deploying and reporting than the central online based system.

     

    So I have just done a full uninstall of all the sophos related items within add/remove program from one of the clients.  I then went to manually delete all the sophos folders within program files (including x86) and programdata.  Two of the folders failed to delete which I found on because two sophos services were still running.  I also noticed a folder called HitmanPro.Agent within the programdata folder.  I can confirm that this folder is definitely part of the Sophos Central install as I have just checked on a live machine that hasn't had the SEC install deployed but did have sophos central.  So yes my original suspision is correct in that Sophos SEC and Sophos Central conflict even though sophos SEC claims to have uninstalled Central version.

    Now when I install sophos using SEC it no longer fails to download Hitman Pro but still fails on this "Sophos Endpoint Agent" again I reckon this is related to Sophos central and not SEC.  What I am going to try no is to remove Sophos SEC, reinstall Sophos central and then uninstall this myself (before I have used the Sophos SEC thirdparty uninstall tool) then reinstall sophos SEC and see what I get.

  • Getting there, I haven't done the reinstalls yet but I noticed in programs and features "Sophos Endpoint Agent" was listed with a install date of November and a generic exe icon (not the usual sophos icon).  When I tried to uninstall it told me it no longer exists and it remove the item from the list.  This item wasn't there where I uninstalled as above so more fuel regarding sophos SEC inability to uninstall sophos central prior to install.

  • Hello Jeremy,

    thanks for the update. The on-premise (SEC) installer's setup.exe should refuse to install if it finds a Central managed component, it might not yet be aware of the recent changes. While there's a Cloud Migration Tool in the other direction, AFAIK, you have to completely uninstall (and reboot) to avoid any issues (and depending on what was and what was not uninstalled the bootstrapper might fail to make the correct decision).

    Christian

  • True that installing sophos should fail is central was installed and this is kinda true.  One of the features of SEC is called "Third-Party Security Software Detection" if this is selected it will (or should) uninstall other AV applications.  In my cause provided tamper protection was switched off it does indeed remove sophos central just not entirely as is proven by conflicts with the program updates.

     

    Anyways this is going from worse to worse, having so much trouble removing sophos (SEC) as there are many items missing from Programs and features so I can't cleanly uninstall.  There are still about 5 sophos services still running, even though according to windows sophos isn't installed.  I am going to have to manually work on cleaning up the install.  Why I hate AV programs over the years just so much bloatware!

  • Hello Jeremy,

    "Third-Party Security Software Detection"
    arguably Central isn't exactly third-party. [;)]
    Joking aside - uninstall should be clean, there are a very few remnants left behind to assist in an uninstall-reinstall scenario. Services normally go away (and should do so even with enhanced Taper Protection) at least after a reboot.

    If the uninstall is not clean on the Central protected machines you should contact Support directly providing them the SDU logs.

    Christian

  • So  I have finally got it installed and updating

    1.  Sophos SEC install does NOT correctly uninstall sophos central and leaves behind two packages and breaks further breaks sophos SAVXP installation (XP is nothing to do with windows XP btw).  It appears the only way to resolve it to visit every machine and manually uninstall.

    2. I have gone through the entire registry and deleted every reference I could find to the word 'sophos'

    3. Using msizap from the ms sdk I have removed any of the sophos installers from windows install cache

    4. Deleted all sophos folders in program files, program files (x86) and programdata

    5. To get SAVXP installing correctly I had to remove the MSI version checking from the installation using compatibility mode, this allowed the program to install.

    6.  I then ran the normal setup as if performing a manual install.  This now ran through and installed 5 packages, compared to 7 (2 of which where obviously from sophos central)

    7. Even though policies where correct, and live on the client, in SEC it was showing "Awaiting Policy from console".  To correct this I had to click "Comply with" and in my case I added all policies.  Now the PC is showing up to date with no error and alerts.

     

    I am not going to try and fix the two other work stations following my own guide.  From this exercise I have learnt that the third part removal tool is flawed and should be avoided and use the softwares own uninstallation procedures. 

     

  • Hello Jeremy,

    the third part removal tool is flawed
    I was only half-joking when I doubted Sophos Central's third-partyness. Are you sure it was the CRT which did the uninstall?
    I think that the on-premise version simply doesn't recognize the Central components. When Central (then Cloud) became available a Cloud-to-On-premise scenario was "unthinkable". A (scripted) uninstall of the Central versions before installing on-premise is the easiest way to do it.

    Christian