Thread Info
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 19087 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows server (2008 R2 and 2012) were dump when sophos update

hut hn

Dear all,

We have a Sophos server with Enterprise Console 5.5 on Windows 2008 R2, and some servers (windows 2008 R2 and 2012 ) install client sophos.

Today, I have a problem with sophos client. Whenerver my sophos clients update to Sophos server, my clients are dump. I see error 0000006a (Installation caught error) on Sophos Console, some clients report  Hitman pro alert install failed. 

Could you help me check the problem ? Where can I find the detail log on sophos client or Sophos Enterprise console ?

Thank you in advance,

Hut



This thread was automatically locked due to age.

  • Hello Hut,

    the logs for the installs or uninstalls performed during updating are in %windir%\Temp\.

    Christian

  • in reply to QC

    Hi Christian,

    I check in the directory and recognize that  the log file Sophos HitmanPro Alert install log is empty.

    Hut,

  • in reply to hut hn

    Hello Hut,

    the release notes list two issues but the description is rather vague. If you did reboot your endpoints the first doesn't apply. No other log (MSIxxxx) that could be related to EXP?
    You could also check the ALUpdate logs (%ProgramData%\Sophos\AutoUpdate\Logs\) but I assume it just says failed.

    Christian

  • in reply to QC

    Hi Christian,

     The following logs were written in the ALUpdate log when client servers update sophos. However, the log file wasn't written when client servers were dumped.

     

    Trace(2017-Jun-07 15:36:42): Attempting to make a connection to remote machine \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:36:42): Connection to remote machine \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA successful
    Trace(2017-Jun-07 15:36:42): Custom certificate already present.
    Trace(2017-Jun-07 15:36:42): Not primary update location. Will not process license, credentials and product id files.
    Trace(2017-Jun-07 15:36:42): Remote connection over UNC.
    Trace(2017-Jun-07 15:36:42): Read file master.upd (Remote).
    Trace(2017-Jun-07 15:36:42): Synchronised file root.upd (Remote).
    Trace(2017-Jun-07 15:36:42): ParseCustomerIDFile: completed: 0
    Trace(2017-Jun-07 15:36:42): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Calling SyncProduct with {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    Trace(2017-Jun-07 15:36:42): CIDUpdateLocation::SyncProduct - Updating Product: Sophos HitmanPro Alert
    Trace(2017-Jun-07 15:36:42): CIDUpdate(SyncProduct.Start): Sophos HitmanPro Alert, \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:36:42): Checksum found in master.upd matches cached cidsync.upd : 97cb15a3. Skipping download
    Trace(2017-Jun-07 15:36:42): CIDUpdate(PrimarySuccess):
    Trace(2017-Jun-07 15:36:42): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, SyncProduct returned - 1
    Trace(2017-Jun-07 15:36:42): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Ended - 1
    Trace(2017-Jun-07 15:36:42): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
    Trace(2017-Jun-07 15:36:42): CIDUpdateLocation::SyncProduct - Updating Product: Sophos Clean
    Trace(2017-Jun-07 15:36:42): CIDUpdate(SyncProduct.Start): Sophos Clean, \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:36:42): Checksum found in master.upd matches cached cidsync.upd : 1d576557. Skipping download
    Trace(2017-Jun-07 15:36:42): CIDUpdate(PrimarySuccess):
    Trace(2017-Jun-07 15:36:42): ALUpdate(DownloadEnded):
    Trace(2017-Jun-07 15:36:42): UpdateCoordinator::UpdateNow: About to Action list of products
    Trace(2017-Jun-07 15:36:42): SimpleProduct::DoAction isLater==false skipAction==false isUninstall==false m_lastUpdateSucceeded==true numfilestocahce 1 Actiontype SetupNot preinstalled product
    Trace(2017-Jun-07 15:36:42): Null update
    Trace(2017-Jun-07 15:36:42): ALUpdate(Action.Skipped): RMSNT
    Trace(2017-Jun-07 15:36:42): CIDUpdateLocation::OnNullUpdate...
    Trace(2017-Jun-07 15:36:42): CustomFileMap::CustomFileMap. CachePath = C:\ProgramData\Sophos\AutoUpdate\cache
    Trace(2017-Jun-07 15:36:42): CustomFileMap::Read: Subfolder = rms productID = {390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}
    Trace(2017-Jun-07 15:3  -- - > Blue screen appear 

    Trace(2017-Jun-07 15:46:22): Attempting to make a connection to remote machine \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:46:22): Connection to remote machine \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA successful
    Trace(2017-Jun-07 15:46:22): Custom certificate already present.
    Trace(2017-Jun-07 15:46:22): Not primary update location. Will not process license, credentials and product id files.
    Trace(2017-Jun-07 15:46:22): Remote connection over UNC.
    Trace(2017-Jun-07 15:46:22): Read file master.upd (Remote).
    Trace(2017-Jun-07 15:46:22): Synchronised file root.upd (Remote).
    Trace(2017-Jun-07 15:46:22): ParseCustomerIDFile: completed: 0
    Trace(2017-Jun-07 15:46:22): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Calling SyncProduct with {244E68BF-E1BB-4A6B-AC18-A492DE0134C0}
    Trace(2017-Jun-07 15:46:22): CIDUpdateLocation::SyncProduct - Updating Product: Sophos HitmanPro Alert
    Trace(2017-Jun-07 15:46:22): CIDUpdate(SyncProduct.Start): Sophos HitmanPro Alert, \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:46:22): Checksum found in master.upd matches cached cidsync.upd : 97cb15a3. Skipping download
    Trace(2017-Jun-07 15:46:22): CIDUpdate(PrimarySuccess):
    Trace(2017-Jun-07 15:46:22): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, SyncProduct returned - 1
    Trace(2017-Jun-07 15:46:22): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Ended - 1
    Trace(2017-Jun-07 15:46:22): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
    Trace(2017-Jun-07 15:46:22): CIDUpdateLocation::SyncProduct - Updating Product: Sophos Clean
    Trace(2017-Jun-07 15:46:22): CIDUpdate(SyncProduct.Start): Sophos Clean, \\ServerVIRUS\SophosUpdate\CIDs\S000\OPMHMPA
    Trace(2017-Jun-07 15:46:22): Checksum found in master.upd matches cached cidsync.upd : 1d576557. Skipping download
    Trace(2017-Jun-07 15:46:22): CIDUpdate(PrimarySuccess):
    Trace(2017-Jun-07 15:46:22): ALUpdate(DownloadEnded):
    Trace(2017-Jun-07 15:46:22): UpdateCoordinator::UpdateNow: About to Action list of products
    Trace(2017-Jun-07 15:46:22): SimpleProduct::DoAction isLater==false skipAction==false isUninstall==false m_lastUpdateSucceeded==true numfilestocahce 1 Actiontype SetupNot preinstalled product
    Trace(2017-Jun-07 15:46:22): Null update
    Trace(2017-Jun-07 15:46:22): ALUpdate(Action.Skipped): RMSNT
    Trace(2017-Jun-07 15:46:22): CIDUpdateLocation::OnNullUpdate...
    Trace(2017-Jun-07 15:46:22): CustomFileMap::CustomFileMap. CachePath = C:\ProgramData\Sophos\AutoUpdate\cache
    Trace(2017-Jun-07 15:46:22): CustomFileMap::Read: Subfolder = rms productID = {390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}
    Trace(2017-Jun-07 15:4 --- >  -- - > Blue screen appear

     

    The error occurs HitmanPro Alert update from version 3.6.3.583 to 3.6.3.593

    When I stop auto update sophos service, the problem is solved.

    I also attached the file dump in client server.

    Regards.

    Hut,

  • in reply to hut hn

    Hello Hut,

    you say you have the same symptoms on more than one machine? On all of them?

    Christian

  • in reply to QC

    Given the reference to the filter manager in that screenshot of a dump, I suspect it's the same problem as detailed here:

    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/92654/server-2012-r2-bsod-on-20-servers-any-thoughts

  • in reply to QC

    Hi Christian,

    All of client servers (windows 2008 R2 and windows 2012) have same symtoms. The clients using Windows 10, 8, 7  don't have the problem.

     

    Hut,

  • in reply to jak

    Hi Jak,

     

    Exactly, my problem is same the case.

     

    Thanks,

    Hut,

Unfiltered HTML