Half of Sophos Enterprise Console clients failing to upgrade network threat protection to 1.8.77

We are experiencing issues with SEC. half of SEC clients fails upgrading to ntp 1.8.77 with following errors:

 

ProductSetup::ProductSetup: Begin product setup
ProductSetup::InstUninstEntry: Begin install
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for component NTP
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for service Sophos Network Threat Protection
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for service sntp
ProductSetup::InstUninstEntry: Show gui: false
ProductSetup::InstUninstEntry: Existing product code: {66967E5F-43E8-4402-87A4-04685EE5C2CB}
ProductSetup::InstUninstEntry: Install from: C:\ProgramData\Sophos\AutoUpdate\cache\ntp64
ProductSetup::InstUninstEntry: Install to: <default>
=== Verbose logging started: 2019-07-11 16:02:18 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\ALUpdate.exe ===
MSI (c) (3C:68) [16:02:18:668]: Cloaking enabled.
MSI (c) (3C:68) [16:02:18:668]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (3C:68) [16:02:18:668]: End dialog not enabled
MSI (c) (3C:68) [16:02:18:668]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi
MSI (c) (3C:68) [16:02:18:668]: Package we're running from ==> C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: looking for appcompat database entry with ProductCode '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'.
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (3C:68) [16:02:18:684]: MSCOREE not loaded loading copy from system32
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: looking for appcompat database entry with ProductCode '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'.
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (3C:68) [16:02:18:837]: Transforms are not secure.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2205 2: 3: Control
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\WINDOWS\TEMP\Sophos Network Threat Protection Install Log 20190711 160218.txt'.
MSI (c) (3C:68) [16:02:18:837]: No Command Line.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{FEBAF421-B555-408D-B670-6604E0732280}'.
MSI (c) (3C:68) [16:02:18:837]: Product Code passed to Engine.Initialize: '(none)'
MSI (c) (3C:68) [16:02:18:837]: Product Code from property table before transforms: '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'
MSI (c) (3C:68) [16:02:18:837]: Product Code from property table after transforms: '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'
MSI (c) (3C:68) [16:02:18:837]: Product not registered: beginning first-time install
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (3C:68) [16:02:18:837]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (3C:68) [16:02:18:837]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (3C:68) [16:02:18:837]: Adding new sources is allowed.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: Package name extracted from package path: 'Sophos Network Threat Protection.msi'
MSI (c) (3C:68) [16:02:18:837]: Package to be registered: 'Sophos Network Threat Protection.msi'
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: TRANSFORMS property is now:
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '405'.
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Documents
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Local
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Pictures
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (c) (3C:68) [16:02:18:837]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (3C:68) [16:02:18:837]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'MAXIMA'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi'.
MSI (c) (3C:68) [16:02:18:837]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (3C:68) [16:02:18:837]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (c) (3C:68) [16:02:18:837]: EEUI - Disabling MsiEmbeddedUI in quiet mode
=== Logging started: 2019-07-11 16:02:18 ===
MSI (c) (3C:68) [16:02:18:837]: Machine policy value 'DisableRollback' is 0
MSI (c) (3C:68) [16:02:18:837]: User policy value 'DisableRollback' is 0
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (c) (3C:68) [16:02:18:837]: Creating MSIHANDLE (6) of type 790537 for thread 12392
MSI (c) (3C:68) [16:02:18:837]: MsiOpenPackageEx is returning 0
MSI (c) (3C:68) [16:02:18:837]: Closing MSIHANDLE (6) of type 790537 for thread 12392
=== Verbose logging stopped: 2019-07-11 16:02:18 ===

setup::MsiInstaller::install: New version: {604350BF-BE9A-4F79-B0EB-B1C22D889E2D}, version: 1.8.77.0
setup::`anonymous-namespace'::getMsiInformationFromProductCode: ERR: 1612 Failed to open product: {66967E5F-43E8-4402-87A4-04685EE5C2CB}
setup::MsiInstaller::install: Install failed: MsiOpenProductW failed: The installation source for this product is not available. Verify that the source exists and that you can access it.

`anonymous-namespace'::setResult: installation failed
setup::TamperProtectionControl::enable: Registered tamper protection integrity.dat for NTP
setup::TamperProtectionControl::enable: Enabled tamper protection for NTP
ProductSetup::~ProductSetup: End product setup

  • Hello Gedas Liugas1,

    apparently the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66967E5F-43E8-4402-87A4-04685EE5C2CB} exists as does HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F5E769668E342044784A4086E55E2CBC. The latter has a subkey InstallProperties, that in turn contains a value LocalPackage.that points to the cached ,msi (e.g. C:\Windows\Installer\abcd1234.msi) from the previous version. It seems that this file does not exist. Is this so?

    Christian

  • In reply to QC:

    Correct, how can I solve this on 1000 computers? :)

  • In reply to QC:

    Should I remove both or one on the registry values?

  • In reply to Liuga:

    Hello Gedas Liugas1,

    sorry, was commuting meanwhile.

    I don't recommend removing any of the keys. The underlying problem is that the cached package required for uninstall has for whatever reason disappeared. NTP should continue to work normally, you "just" get the update failures - admittedly annoying but requires no immediate action. if you don't need 10.8.4 you might consider downgrading to Previous Recommended.

    For a handful of endpoints you normally copy the missing .msi ... you need the .msi for the previous version. Depens on what tools you have available. In theory you could put it in \Windows\Installer with a name that doesn't collide (more than 8 characters/digits will do) and modify the LocalPackage value to point to this file.
    I'll think of something - Support might or might not have a better solution though.

    Christian

  • In reply to QC:

    How downgrading to Previous Recommended will affect computers (both failed and successfully upgraded). Does that mean that all successfully upgraded computer will downgrade to previous ntp version without any problems and what is more important failed computers will not fire up alerts and recreates dissapeared .msi?

  • In reply to QC:

    Maybe You know where can I get NTP 1.2.2.50 msi installer? And does ntp 1.2.2.50 LocalPackage name for all computers should be the same, or every single computer has its own, unique LocalPackage name for ntp 1.2.2.50?

  • In reply to Liuga:

    Hello Gedas Liugas1,

    downgrade should have to bad side-effects, failed endpoints should notice that there's "no change" for NTP and thus clear the error. They won't re-cache the package though.

    You can obtain the previous package by adding a subscription to Previous Recommended. Then just grab it from the new CID. Cached package name can be the same for all endpoints, so it's possible to copy it with the same name to all endpoints and set LocalPackage to the same value for all. Disclaimer: I haven't tested this scenario, should be fairly simple to verify it on one endpoint.

    Good luck
    Christian

  • Hello everyone,

     

    i experiencing exact the same issue on some of my machines. Could you assist me? 

     

    Where i can get the old NTP Installer, which is missing in the \windows\installer directory?

     

    Kind regards

    Florian

  • In reply to Liuga:

    I think the first thing to do is collect the different versions of the MSI installer file for the NTP package.  You can subscribe to packages in SEC to get these where possible or harvest them off computers that have been offline or snapshots, etc..

    You can then put them in an accessible share, e.g.

    \\server\share\1.8.1555.0\Sophos Network Threat Protection.msi
    \\server\share\1.4\Sophos Network Threat Protection.msi
    \\server\share\1.7\Sophos Network Threat Protection.msi

    The idea then being, a script could run, to get the cached MSI path for the NTP package, if it exists, all is good, if not, for the version of the NTP package installed, copy the correct version from the share to the computer and save it with the cached MSI file name.

    Example PS below, it has no error checking but could be a starting point.  I've not even tested it beyond it printing the right strings.

    Hope it helps.

    Regards,

    Jak

     

     

    #Fix cached MSI file.

    $global:PackageToFix     = "Sophos Network Threat Protection"
    $global:InstallKey       = gci "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products" -rec -ea SilentlyContinue
    $global:PathToMSI        = ""
    $global:VersionInstalled = ""
    $global:FileName         = "Sophos Network Threat Protection.msi" #Default name of the MSI file.
    $global:Share            = "\\server\share" #Example share to stage the various version of the missing MSI.

    #Create a sub directory of each version you want to stage, e.g.
    # \\server\share\1.8.1555.0\Sophos Network Threat Protection.msi
    # \\server\share\1.4\Sophos Network Threat Protection.msi
    # \\server\share\1.7\Sophos Network Threat Protection.msi
    # etc...

    function main()
    {
    $null = GetFilePath
    write-host "Path to cached MSI for package" $global:PackageToFix ":" $global:PathToMSI
    write-host "Version Installed of" $global:PackageToFix ":" $global:VersionInstalled

    if (test-path $global:PathToMSI)
    {
    write-host "OK"
    exit 0
    }
    else
    {
    write-host "Missing Cached MSI as referenced in registry"

    #Copy correct cached MSI file from repo to the file path in $CachedMSIPath

    $pathFrom = $global:Share+"\"+$global:VersionInstalled+"\"+$global:FileName
    write-host "Copy from: " $pathFrom
    Write-host "Copy to: " $global:PathToMSI

    #Copy file
    Copy-Item $pathFrom -Destination $global:PathToMSI -ErrorAction silentlycontinue
    }

    }

    function GetFilePath()
    {
    foreach ($key in $global:InstallKey)
    {
    $name = $key | get-itemproperty -name DisplayName, LocalPackage, DisplayVersion -ea SilentlyContinue

    if ($name.DisplayName -eq $global:PackageToFix)
    {
    $global:PathToMSI = $name.LocalPackage
    $global:VersionInstalled = $name.DisplayVersion
    }
    }
    }

    cls
    main