Client machine not showing status on SEC

hi sir,

 client machine was not showing on enterprise console, i installed clint on aix machine update and all was succcesfully done on the clint machine and also getting ping and all but not showing it on console help me sir

Thanks for the kudos. Just a few additional general remarks.

Occasionally you encounter "minor" issues like this one, an adapter missing, but also "sudden" update failures like The MSI has failed (often caused by for whatever reason corrupted registry permissions) . On a gut level they get less frequent but still exist. Extended troubleshooting is IMO only worth the effort if either you can find a quick solution for a significant number of clients and/or future occurrences (like importing a registry key, re-registering some component) - ideally without visiting the machine - or you (or rather Sophos) can track down the cause and update the product to avoid these issues in the future. The latter is not simple as the remaining bugs seem obscure.

Thus it is often more efficient to stop hunting for the bug at a certain point and

1- Try to re-protect the client (if you have not already done so)

2 - If this fails try to determine the cause, if you can correct it and re-protect  

3 - If you can't determine the cause or re-protect succeeds but does not resolve the issue further attempts are unlikely to help. Therefore uninstall all components (it'd be nice if this could be done from SEC although the client would not be able report back success or failure)

4 - If the uninstall fails remove the Installer information (using msicuu2 or its successor) and re-protect/install. In most cases this will work (for me it has worked in all cases including a corrupted Beta-SEC install). Of course assess the errors you encounter - in one case the problem was an incomplete (due to forced power off) update and a subsequent attempt by the admin to get it working again by reinstalling - unfortunately with a different version. Apart from cleaning the installer info it was also necessary to reinstall with the "correct" version.

Although I'm not shy to pester Support there are some situations where I prefer this pragmatic approach (which as said has proven to work).  BTW - I never had to reinstall the OS.

Christian

Hey,

Last night I tried tackling the machine in question.

I was following a tutorial on how to correct the COM server permission error I was getting.

Unfortunately when I was trying to locate the CLSID in Component Services I was able to locate it.

So after all that I finally just decided to completely blow away the Sophos installation.

I removed all the components, rebooted and reinstalled Sophos.

As of this morning the machine is still showing all status's.

I will monitor it and see if it disappears again.

Thanks to jak and QC for your help, it is much appreciated.

Sorry I couldn't have come up with a more reliable solution :smileysad:

Cheers

Hey jak,

Well I did some hunting on the machine in question and I did find a registry backup made from CCleaner.

It has one entry pertaining to Sophos:

[HKEY_CLASSES_ROOT\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}\LocalServer32]@"="C:\\PROGRA~1\\Sophos\\SOPHOS~1\\SAVSER~1.EXE"

Not sure if this key in particular would cause the issue I am seeing.

The other thing is that this was created way back in 2010, but this problem reppeared only recently.

Now, that is not to say that the user didn't re-run CCleaner and not create a backup the this time around.

I still need to swift through the logs to see if I can find any additional information that might explain what is happening.

In the mean time to be safe I will uninstall CCleaner to rule out this application being the problem 100%

Cheers

============================================================

So I started digging through the Event Logs in Windows.

The first problem I noticed was with the "Sophos Device Control Service" complaning that it couldn't start.

When I tried starting the service I got a "....Access denied...." error message which I thought was sort of weird.

This lead me to look at the System logs in Event Viewer where I came across the following error:

Log Name: System

Source: Distributed COM

Event ID: 10016

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} and APPID 

Unavailable to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

When I looked up the CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} in the registry I found the entry

Infrastructure.ComponentManager. 

I looked through the registry a little more and was able to link this CLSID to the SAVservice. So as far as I can tell this CLSID is tied to Sophos.

I am not sure if this is what is causing my issue. But I think probably correcting this issue would be a good place to start.

I have a sneaking suspision that I should probably just completely blow away the installation on this computer and reinstall everything from scrach.

But I will still run through the logs and see if there is anything else.

Cheers

Hi,

Missing registry keys could certianly be the cause here and quite likley.  Maybe when they ran CCleaner and it asked to clean the registry they chose the option to backup to a reg file before deleting?  If you had the reg files you could see if any Sophos keys were removed.

For example, on my machine, if I rename:

HKEY_CLASSES_ROOT\TypeLib\{7B1F77BE-23A0-43AF-BF0F-E2B741B0B0B1}

so it's not found I get this message in the Agent log,  So I think Process Monitor a working machine vs this machine filtered by registry access and maybe also on not found items will do it.

If all else fails you could try running:

regsvr32 ComponentManager.dll

to try re-register the dll, this will re-write the registration keys for this component but if this works so should a re-install

Regards,

Jak

Hi jak,

Thank you for your reply.

As far as I can tell the SAV is working on the machine. And as far as I can tell all the components are working

on the machine. It is definitely a weird situation.

I will take your suggestions and start digging through the logs to see if I can figure out what is going on.

At one point yes this particular machine was showing its status correctly. I have had this issue in the past

with the particular machine (it happens to be the same user as well), but I have been able to correct it.

Now, when you started talking about the registry you got me thinking.

This particular user looks like they have installed and probably run a utility called CCleaner. This

utility (among other things) is used to clean out registry files that are deemed "unused".

I wonder if its possible that this program has removed registry keys it shouldn't have.

(don't ask why the user why the user is allowed to install an application such as this, this is a soar subject :smileyvery-happy:)

What I migth try and do after doing some digging and doing a completely fresh install of Sophos.

And then remove CCleaner so that the user can't run it and just see what happens.

I will try all that you have suggsted though and report back.

thank you

Hi,

E SAVXP Adapter: Failed to create instance of SAVXP Component Manager

is definitely the problem, the adapter can't speak to SAV to find out its state.

I assume if SAV is working on the client the component manager component is working?  You may want to check the Event log for errors when starting the SAV Service just to check nothing is thrown in there.  You can open the SAV GUI and makes changes to the config locally?

The component manager is a COM component served up by the componentmanager.dll as hosted by the SAVService, you can check it's installed by running dcomcnfg.  If it exists there, it's odd the ManagementAgentNt.exe process, which is running as system can't create an instance of the object. 

You mentioned you tried uninstalling and reinstalling SAV first but that didn't help?  This is quite suprising and makes me think some old registry keys relating to the components registration are left behind and are the problem.  

Maybe running Process Monitor while starting the Sophos Agent service, will show the COM based lookups taking place.  Maybe you could compare this machine with another (running the same version) at that point.

The other option is to remove everything Sophos from the machine, reboot and traul through HKCR for references to Sophos and delete them.  Once complete attempt a reinstall.

Tricky one.

Regards,

Jak

Hey QC,

Thanks for the reply.

So the error message that I observed isn't something that is normal?

I wasn't really sure because from time to time I come across errors using other applications

and they are considered "normal" based on certain criteria or how the application is setup.

I will take your advice and try and do some additional digging on my own!

Cheers

Hi jak,

I enabled the log level to 2.

I restarte the services as instructed.

I wasn't exactly sure what log file I should look at so I just started poking around.

I came across this log file: C:\ProgramData\Sophos\Remote Management System\3\Agent\Logs

I was looking at the logs under this directory and discovered the following error:

D SAVXP Adapter: --RefreshConfigData--

E SAVXP Adapter: Failed to create instance of SAVXP Component Manager

And a few additional messages:

SAVXP Adapter: GetStatus()

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

D SAVXP Adapter: Match state: NoComparison

Not sure if this error is significant in anyway but I thought I would throw it up just incase.