SEC 5.5.1

Hello all,

thought the upgrade (from 5.5.0) would be simple enough to do it even on a Friday (it's was shortly before 10am so it didn't fall under the no changes on Friday afternoon rule).
Second time in a row it failed miserably (but only on one of the servers) [:)]. This time with a 1923 for the Management Service - can't say (and didn't care) why, perhaps a missing restart (real programmers don't follow the advice of some piece of software, do they?). After the restart and a second attempt it failed immediately - Database 5.5.1, Console 5.5.0, Server not installed. Similar fix as last time (uninstall Console), install completed. Then - Management Service failed to start due to failed database upgrade. Manual upgrade - bingo!
Done with both servers and the remote consoles - still some time before noon.

Christian

Sweaaaaaaat !!! :) Like you said, It's Friday morning :)

As usual ...

Hello ,

As usual
been there before? Can't remember what's supposed to happen after yo click Next, too long ago [;)].
Seriously, I think I just leave it alone, doing something else checking in later to asses the progress and success or failure (this thing maybe doesn't like to be watched). It should record its progress in %ProgramData%\Sophos\Management Installer\Sophos_bootstrapper.... and potential MSI logs should also be there. There might be a prompt waiting hidden by some window. Clicking on the "correct" taskbar icon might bring it to front.

Christian

Some feedback.

I am logged as Domain Admin. After a very long time I had this on the install screen:

The command "CheckDBConnection -l" yields this :

C:\sec_551\ServerInstaller\CheckDBConnection>CheckDBConnection -l
Sophos Connectivity Verifier
5.5.1.955
Copyright 2000-2018 Sophos Limited. All rights reserved.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
TestDatabaseConnectionWithConnectionString 'Server=.\SOPHOS;Database=master; Timeout=3; Trusted_Connection=Yes;'
NewConnStr 'Server=.\SOPHOS;Database=master; Timeout=3; Trusted_Connection=Yes;;'
TestDatabaseConnectionWithConnectionString 'Server=.\SOPHOS;Database=master; Timeout=3; Trusted_Connection=Yes;Encrypt=yes;'
NewConnStr 'Server=.\SOPHOS;Database=master; Timeout=3; Trusted_Connection=Yes;Encrypt=yes;;'
(/) Operating system is ready to use TLS 1.2
(/) Installed .NET Framework supports TLS 1.2
Connection to the SQL Server established
(x) SQL Server instance does not support TLS 1.2
(x) SQL Server TCP/IP protocol detection failed
(/) There is a certificate installed that can be used with SQL Server
(/) SQL Server Native Client library supports TLS 1.2
Encrypted connection to the SQL Server cannot be established
Windows Server 2012 R2 - Standard Server - 6.3.9600.0 - 6 -
SOPHOS - 11.0.7462.6 - SP4-GDR -
Corindon WSUS
Client Library information:
sm - SQLNCLI11 - 11.0.7462
tcp - SQLNCLI11 - 11.0.7462
np - SQLNCLI11 - 11.0.7462
tcp - SQLNCLI11 - 11.0.7462.6
C:\sec_551\ServerInstaller\CheckDBConnection>

I still have both errors:

(x) SQL Server instance does not support TLS 1.2
(x) SQL Server TCP/IP protocol detection failed.

Both of these errors are wrong.

It was soooo easy to upgrade and maintain Symantec SEC.  Why I have done that ultra stupid decision to migrate to something else ?

Registery keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

I assume you have seen the KBA's for the individual checks, for example:

You don't have sufficient database rights
https://community.sophos.com/kb/en-us/124245

Thanks.  I seen that.  I am concentrating on the TLS issue first since solving it may also solve other issues ...

But for now, in that KB they write :

1. Launch a Command Prompt as the user who has the sysadmin Server Role
   
   
2. Type the following and press return:
   
   sqlcmd -E -S .\sophos
   
   Note: This uses the default sophos instance on the local server. To confirm the instance you require see article 113030.
   
   
3. At the prompt type the following to determine if the affected user has a Login, pressing Enter after each line:
   
   SELECT loginname FROM syslogins
go
   
   
4. Confirm whether the affected user is listed in the output
   
   
5. If the user is listed go to step 7
   
   
6. If the user is not listed type the following to add the user to the Logins, pressing Enter after each line:

Well.  Nothing, but absolutely nothing in there works.

I indeed have the registry key with (local)\SOPHOS registry key. (And not ".\SOPHOS key")

sqlcmd -E -S .\sophos do not work

sqlcmd -E -S (local)\sophos do not work

Whatever the case, SELECT loginname FROM syslogins will not work either.  "syslogins" being wrong. Error near"-E"

Another Sophos time sucker nightmare ...

Presence of .\sophos is proven here ...

Presence of .\sophos is proven here ...