This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Sophos Policy Evaluation

 So my Sophos Management Server updated last night. As part of the update, there is now a Sophos Policy Evaluation service that gets installed. Set to run automatically. However the service doesn't start up. The log in the event viewer is

 

Service cannot be started. System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified. at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical() at System.Security.AccessControl.CommonAcl.RemoveInheritedAces() at System.Security.AccessControl.CommonSecurityDescriptor.SetDiscretionaryAclProtection(Boolean isProtected, Boolean preserveInheritance) at System.Security.AccessControl.ObjectSecurity.SetAccessRuleProtection(Boolean isProtected, Boolean preserveInheritance) at Sophos.PolicyEvaluation.Service.AclManager.SetFolderAcls() at Sophos.PolicyEvaluation.Service.PETService.OnStart(String[] args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Anyone else seeing this? Server is 2008r2, SQL databases are on another 2008r2 sql 2104 box. Everything else works, and I can manually run the tool from the command line as per the Sophos documentation. It's just the service that doesn't want to run.



This thread was automatically locked due to age.
Parents
  • Just in case anyone also has this error

     

    I think I have managed to fix this. By checking the logs for the Policy tool service C:\ProgramData\Sophos\Policy Evaluation Tool\Logs\policy-evaluation-tool-service.txt

     

    I could see in the log that it was attempting to set permissions for C:\ProgramData\Sophos\Policy Evaluation Tool as well as the registry hklm\software\sophos\PET. When I attempted to view the permissions for that folder as well as the registry key I was presented with the error “permissions are incorrectly ordered which may cause some entries to be ineffective”. Then the option to re-order them. Once the folder and registry key were corrected, the service then could start and set the appropriate permissions.

     

    [Begin]2017-05-11 10:50:59,351 [4] INFO  {FileLogger.OnStart} ==> Setting ACLs on folders and the registry

    2017-05-11 10:50:59,398 [4] INFO  {FileLogger.OnStart} ==> Starting scheduler

    2017-05-11 10:50:59,413 [4] INFO  {FileLogger.RunPetIfDue} ==> Operating system is compatible.

    2017-05-11 10:50:59,413 [4] INFO  {FileLogger.CheckDotNetAvailability} ==> Checking Policy Evaluation start conditions...

    2017-05-11 10:50:59,413 [4] INFO  {FileLogger.RunPetIfDue} ==> Running Policy Evaluation Tool

     

    It seems as though the initial install of this did something wrong, perhaps this is something Sophos needs to check out.

  • I am having some troubles too after the update yesterday (11-05-2017)

    The service will not start anymore.

    My logs:

    Service cannot be started. System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
       at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
       at System.Security.AccessControl.CommonAcl.RemoveInheritedAces()
       at System.Security.AccessControl.CommonSecurityDescriptor.SetDiscretionaryAclProtection(Boolean isProtected, Boolean preserveInheritance)
       at System.Security.AccessControl.ObjectSecurity.SetAccessRuleProtection(Boolean isProtected, Boolean preserveInheritance)
       at Sophos.PolicyEvaluation.Service.AclManager.SetRegistryAcls()
       at Sophos.PolicyEvaluation.Service.PETService.OnStart(String[] args)
       at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

    (C:\ProgramData\Sophos\Policy Evaluation Tool\Logs)

    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-545 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-544 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-18 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-544 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-3-0 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-15-2-1 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] ERROR {FileLogger.OnStart} ==> Exception occured during service startup: This access control list is not in canonical form and therefore cannot be modified.
    Stack trace:    at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()

     

    When i check the folder permissions i don't get any warnings about the rights, folder or regedt32

    Also i dont have the key(s): HKEY_LOCAL_MACHINE\Software\Sophos\PET as reffered in the logs.

    Repair on the PET tool will result in a error and need to reboot the box.

     

    Any suggestions?

     

     

Reply
  • I am having some troubles too after the update yesterday (11-05-2017)

    The service will not start anymore.

    My logs:

    Service cannot be started. System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
       at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
       at System.Security.AccessControl.CommonAcl.RemoveInheritedAces()
       at System.Security.AccessControl.CommonSecurityDescriptor.SetDiscretionaryAclProtection(Boolean isProtected, Boolean preserveInheritance)
       at System.Security.AccessControl.ObjectSecurity.SetAccessRuleProtection(Boolean isProtected, Boolean preserveInheritance)
       at Sophos.PolicyEvaluation.Service.AclManager.SetRegistryAcls()
       at Sophos.PolicyEvaluation.Service.PETService.OnStart(String[] args)
       at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

    (C:\ProgramData\Sophos\Policy Evaluation Tool\Logs)

    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-545 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-544 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-18 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-5-32-544 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-3-0 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] WARN  {FileLogger.SetRegistryAcls} ==> Could not remove the S-1-15-2-1 access control rule from HKEY_LOCAL_MACHINE\Software\Sophos\PET.
    2017-05-12 10:03:53,514 [4] ERROR {FileLogger.OnStart} ==> Exception occured during service startup: This access control list is not in canonical form and therefore cannot be modified.
    Stack trace:    at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()

     

    When i check the folder permissions i don't get any warnings about the rights, folder or regedt32

    Also i dont have the key(s): HKEY_LOCAL_MACHINE\Software\Sophos\PET as reffered in the logs.

    Repair on the PET tool will result in a error and need to reboot the box.

     

    Any suggestions?

     

     

Children
  • Hello Roel Roomeijer,

    HKLM\Software\Sophos\PET
    it's on the Wow6432Node, HKLM\SOFTWARE\Wow6432Node\Sophos\PET

    Christian

  • Hello Cristian,

    That did the trick, reorder the permissions and done.

    [End][Begin]2017-05-12 10:48:23,614 [4] INFO {FileLogger.OnStart} ==> Setting ACLs on folders and the registry
    2017-05-12 10:48:23,645 [4] INFO {FileLogger.OnStart} ==> Starting scheduler
    2017-05-12 10:48:23,645 [4] INFO {FileLogger.RunPetIfDue} ==> Operating system is compatible.
    2017-05-12 10:48:23,645 [4] INFO {FileLogger.CheckDotNetAvailability} ==> Checking Policy Evaluation start conditions...
    2017-05-12 10:48:23,645 [4] INFO {FileLogger.RunPetIfDue} ==> Running Policy Evaluation Tool

    Thank you for the quick respons and solution!

     

    Regards,

    Roel

  • Yes sorry, I could have been a little more detailed. The log file references hklm\software\sophos\PET, but as with a 64bit OS you'll need to check the wow6432node as stated. Glad you got this fixed, I had informed Sophos support of this issue as well

  • Thanks for the update.

     

    Regards,

    Roel