I am receiving the following error when installing Sophos
Failed to install Sophos Endpoint Firewall Management (64-bit): 80004005.
Any help please?
Thanks
This thread was automatically locked due to age.
I am receiving the following error when installing Sophos
Failed to install Sophos Endpoint Firewall Management (64-bit): 80004005.
Any help please?
Thanks
With the new installer "SophosSetup.exe", rather than "SophosInstall.exe", they could be here:
%temp%\Sophos Endpoint Firewall 1.0.0.564 setup log 20180120 065924.txt
%temp%\Sophos Endpoint Firewall 1.0.0.564 install log 20180120 065924.txt
Where temp is the temp of the installing user.
The "setup" log is basically the "wrapping" code around the MSI install log.
Regards,
Jak
ok so here are the requested log files
thanks for the continued assistance
Sophos Endpoint Firewall 1.0.0.564 install log 20180126 104700.txt
26-01-2018 10:47:00 In CPlugin::Install(). 26-01-2018 10:47:00 Successfully requested Sophos Endpoint Defense disable tamper protection of EFW. 26-01-2018 10:47:00 In MsiLib::GetPackageProductInfo(). 26-01-2018 10:47:00 In MsiLib::GetPackageProperty(). 26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS. 26-01-2018 10:47:00 In MsiLib::GetPackageProperty(). 26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS. 26-01-2018 10:47:00 In MsiLib::GetPackageProperty(). 26-01-2018 10:47:00 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS. 26-01-2018 10:47:00 Leaving MsiLib::GetPackageProductInfo(). 26-01-2018 10:47:00 In MsiLib::IsProductInstalled(). 26-01-2018 10:47:00 Leaving MsiLib::IsProductInstalled() with false. 26-01-2018 10:47:00 Installation type: Fresh install 26-01-2018 10:47:00 Installing version: 1.0.0.564 26-01-2018 10:47:00 Installation of Sophos Endpoint Firewall version: 1.0.0.564 failed with return code : 1603. 26-01-2018 10:47:00 REBOOTCODE: 0 26-01-2018 10:47:00 Successfully registered for tamper protection with Sophos Endpoint Defense.
---
Billy Kendall
This is the issue:
MSI (s) (58:88) [10:47:00:675]: Executing op: CustomActionSchedule(Action=EnableFirewallAuditing,ActionType=1025,Source=BinaryData,Target=EnableFirewallAuditing,)
MSI (s) (58:88) [10:47:00:675]: Creating MSIHANDLE (168) of type 790536 for thread 5256
MSI (s) (58:D8) [10:47:00:675]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4176.tmp, Entrypoint: EnableFirewallAuditing
MSI (s) (58!DC) [10:47:00:675]: Creating MSIHANDLE (169) of type 790531 for thread 5340
MSI (s) (58!DC) [10:47:00:675]: Closing MSIHANDLE (169) of type 790531 for thread 5340
MSI (s) (58!DC) [10:47:00:675]: Creating MSIHANDLE (170) of type 790531 for thread 5340
EnableFirewallAuditing: Initialized.
MSI (s) (58!DC) [10:47:00:675]: Closing MSIHANDLE (170) of type 790531 for thread 5340
EnableFirewallAuditing: Error 0x80004005: Could not set firewall auditing information
MSI (s) (58:D8) [10:47:00:675]: Closing MSIHANDLE (168) of type 790536 for thread 5256
CustomAction EnableFirewallAuditing returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (58:88) [10:47:00:690]: User policy value 'DisableRollback' is 0
MSI (s) (58:88) [10:47:00:690]: Machine policy value 'DisableRollback' is 0
Action ended 10:47:00: InstallFinalize. Return value 3.
The problem is, I'm not sure what the custom action EnableFirewallAuditing is doing to get this error: "Error 0x80004005: Could not set firewall auditing information".
You could try running Process Monitor during the install to see if that gives any clues, otherwise you may have to ask Support what this action is attempting to do.
Regards,
Jak
I have yet to hear back from anyone in Sophos support on this issue and I have a customer waiting for some resolution on this matter? Is there a better place, like possibly a Sophos Central support board, that I need to posting to so that I can get some support from Sophos on this issue please?
Thanks
Billy Kendall
There is a Central specific board but this is something Support will need to provide information on I don't think being in the Cental section will help much here.
I would try raising another ticket.
Out of interest, I assume this firewall package is failing to install as the logged on user with the new SophosSetup.exe installer. The logs are going to %temp%, i.e. the users temp location?
In which case, as the same user, does the following command work:
auditpol /get /category:*
Debugging this issue a little more: With Windows Installer, you can set a "System" environment variable called MsiBreak and give the value the name of the Custom Action, in this case EnableFirewallAuditing. This is the way you might debug the code in an installer as it causes Windows Installer to pop up a dialog when the CA starts to give you time to attach the debugger to the process, typically msiexec.exe.
In this case, stepping though in Windbg I suspect the Windows APIs being called are:
AuditQuerySystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375702(v=vs.85).aspx
AuditSetSystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375712(v=vs.85).aspx
Maybe the user doesn't have the SeSecurityPrivilege priv?
You could try installing the package using a command prompt running as SYSTEM (psexec -s -i cmd) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec :
msiexec /i "Sophos Endpoint Firewall.msi" /L*v %temp%\log.txt
Process Explorer can give you the privileges of a process.
Hope it helps.
Regards,
Jak
There is a Central specific board but this is something Support will need to provide information on I don't think being in the Cental section will help much here.
I would try raising another ticket.
Out of interest, I assume this firewall package is failing to install as the logged on user with the new SophosSetup.exe installer. The logs are going to %temp%, i.e. the users temp location?
In which case, as the same user, does the following command work:
auditpol /get /category:*
Debugging this issue a little more: With Windows Installer, you can set a "System" environment variable called MsiBreak and give the value the name of the Custom Action, in this case EnableFirewallAuditing. This is the way you might debug the code in an installer as it causes Windows Installer to pop up a dialog when the CA starts to give you time to attach the debugger to the process, typically msiexec.exe.
In this case, stepping though in Windbg I suspect the Windows APIs being called are:
AuditQuerySystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375702(v=vs.85).aspx
AuditSetSystemPolicy - https://msdn.microsoft.com/en-us/library/windows/desktop/aa375712(v=vs.85).aspx
Maybe the user doesn't have the SeSecurityPrivilege priv?
You could try installing the package using a command prompt running as SYSTEM (psexec -s -i cmd) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec :
msiexec /i "Sophos Endpoint Firewall.msi" /L*v %temp%\log.txt
Process Explorer can give you the privileges of a process.
Hope it helps.
Regards,
Jak