This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint installation error

I am receiving the following error when installing Sophos

Failed to install Sophos Endpoint Firewall Management (64-bit): 80004005.

Any help please?

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Billy Kendall,

    is this a Central installation? Anyway, this is a rather general error code, the Installer logs (mostly MSI logs) are in %windir%\Temp\, there should be a corresponding one.

    Christian

  • if by Central installation you mean via a multi-tenant MSP deployment of Sophos, then yes.

    I will jump back on the client's PC tomorrow and grab whatever pertinent logs I see in %windir%\Temp\

     

    Thanks for the response!

    BK

     

  • With the new installer "SophosSetup.exe", rather than "SophosInstall.exe", they could be here:

    %temp%\Sophos Endpoint Firewall 1.0.0.564 setup log 20180120 065924.txt

    %temp%\Sophos Endpoint Firewall 1.0.0.564 install log 20180120 065924.txt

    Where temp is the temp of the installing user. 

    The "setup" log is basically the "wrapping" code around the MSI install log.

    Regards,
    Jak

  • ok so here are the requested log files

    thanks for the continued assistance 

    Sophos Endpoint Firewall 1.0.0.564 install log 20180126 104700.txt

    26-01-2018 10:47:00 In CPlugin::Install().
    26-01-2018 10:47:00 Successfully requested Sophos Endpoint Defense disable tamper protection of EFW.
    26-01-2018 10:47:00 In MsiLib::GetPackageProductInfo().
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProductInfo().
    26-01-2018 10:47:00 In MsiLib::IsProductInstalled().
    26-01-2018 10:47:00 Leaving MsiLib::IsProductInstalled() with false.
    26-01-2018 10:47:00 Installation type: Fresh install
    26-01-2018 10:47:00 Installing version: 1.0.0.564
    26-01-2018 10:47:00 Installation of Sophos Endpoint Firewall version: 1.0.0.564 failed with return code : 1603.
    26-01-2018 10:47:00 REBOOTCODE: 0
    26-01-2018 10:47:00 Successfully registered for tamper protection with Sophos Endpoint Defense.
    


    ---

    Billy Kendall

Reply
  • ok so here are the requested log files

    thanks for the continued assistance 

    Sophos Endpoint Firewall 1.0.0.564 install log 20180126 104700.txt

    26-01-2018 10:47:00 In CPlugin::Install().
    26-01-2018 10:47:00 Successfully requested Sophos Endpoint Defense disable tamper protection of EFW.
    26-01-2018 10:47:00 In MsiLib::GetPackageProductInfo().
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 In MsiLib::GetPackageProperty().
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
    26-01-2018 10:47:00 Leaving MsiLib::GetPackageProductInfo().
    26-01-2018 10:47:00 In MsiLib::IsProductInstalled().
    26-01-2018 10:47:00 Leaving MsiLib::IsProductInstalled() with false.
    26-01-2018 10:47:00 Installation type: Fresh install
    26-01-2018 10:47:00 Installing version: 1.0.0.564
    26-01-2018 10:47:00 Installation of Sophos Endpoint Firewall version: 1.0.0.564 failed with return code : 1603.
    26-01-2018 10:47:00 REBOOTCODE: 0
    26-01-2018 10:47:00 Successfully registered for tamper protection with Sophos Endpoint Defense.
    


    ---

    Billy Kendall

Children
  • This is the issue:

    MSI (s) (58:88) [10:47:00:675]: Executing op: CustomActionSchedule(Action=EnableFirewallAuditing,ActionType=1025,Source=BinaryData,Target=EnableFirewallAuditing,)
    MSI (s) (58:88) [10:47:00:675]: Creating MSIHANDLE (168) of type 790536 for thread 5256
    MSI (s) (58:D8) [10:47:00:675]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4176.tmp, Entrypoint: EnableFirewallAuditing
    MSI (s) (58!DC) [10:47:00:675]: Creating MSIHANDLE (169) of type 790531 for thread 5340
    MSI (s) (58!DC) [10:47:00:675]: Closing MSIHANDLE (169) of type 790531 for thread 5340
    MSI (s) (58!DC) [10:47:00:675]: Creating MSIHANDLE (170) of type 790531 for thread 5340
    EnableFirewallAuditing: Initialized.
    MSI (s) (58!DC) [10:47:00:675]: Closing MSIHANDLE (170) of type 790531 for thread 5340
    EnableFirewallAuditing: Error 0x80004005: Could not set firewall auditing information
    MSI (s) (58:D8) [10:47:00:675]: Closing MSIHANDLE (168) of type 790536 for thread 5256
    CustomAction EnableFirewallAuditing returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (58:88) [10:47:00:690]: User policy value 'DisableRollback' is 0
    MSI (s) (58:88) [10:47:00:690]: Machine policy value 'DisableRollback' is 0
    Action ended 10:47:00: InstallFinalize. Return value 3.

    The problem is, I'm not sure what the custom action EnableFirewallAuditing is doing to get this error: "Error 0x80004005: Could not set firewall auditing information".

    You could try running Process Monitor during the install to see if that gives any clues, otherwise you may have to ask Support what this action is attempting to do.

    Regards,
    Jak

  • I have yet to hear back from anyone in Sophos support on this issue and I have a customer waiting for some resolution on this matter? Is there a better place, like possibly a Sophos Central support board, that I need to posting to so that I can get some support from Sophos on this issue please?

     

    Thanks

    Billy Kendall

  • There is a Central specific board but this is something Support will need to provide information on I don't think being in the Cental section will help much here.

    I would try raising another ticket.

    Out of interest, I assume this firewall package is failing to install as the logged on user with the new SophosSetup.exe installer. The logs are going to %temp%, i.e. the users temp location?

    In which case, as the same user, does the following command work:

    auditpol /get /category:*

    Debugging this issue a little more: With Windows Installer, you can set a "System" environment variable called MsiBreak and give the value the name of the Custom Action, in this case EnableFirewallAuditing.  This is the way you might debug the code in an installer as it causes Windows Installer to pop up a dialog when the CA starts to give you time to attach the debugger to the process, typically msiexec.exe. 

    In this case, stepping though in Windbg I suspect the Windows APIs being called are:

    AuditQuerySystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375702(v=vs.85).aspx 

    AuditSetSystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375712(v=vs.85).aspx

    Maybe the user doesn't have the SeSecurityPrivilege priv?

    You could try installing the package using a command prompt running as SYSTEM (psexec -s -i cmd) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec :

    msiexec /i "Sophos Endpoint Firewall.msi" /L*v %temp%\log.txt

    Process Explorer can give you the privileges of a process.

    Hope it helps.

    Regards,

    Jak