Half of Sophos Enterprise Console clients failing to upgrade network threat protection to 1.8.77

We are experiencing issues with SEC. half of SEC clients fails upgrading to ntp 1.8.77 with following errors:

 

ProductSetup::ProductSetup: Begin product setup
ProductSetup::InstUninstEntry: Begin install
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for component NTP
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for service Sophos Network Threat Protection
setup::TamperProtectionControl::TamperProtectionControl: Disabled tamper protection for service sntp
ProductSetup::InstUninstEntry: Show gui: false
ProductSetup::InstUninstEntry: Existing product code: {66967E5F-43E8-4402-87A4-04685EE5C2CB}
ProductSetup::InstUninstEntry: Install from: C:\ProgramData\Sophos\AutoUpdate\cache\ntp64
ProductSetup::InstUninstEntry: Install to: <default>
=== Verbose logging started: 2019-07-11 16:02:18 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\ALUpdate.exe ===
MSI (c) (3C:68) [16:02:18:668]: Cloaking enabled.
MSI (c) (3C:68) [16:02:18:668]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (3C:68) [16:02:18:668]: End dialog not enabled
MSI (c) (3C:68) [16:02:18:668]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi
MSI (c) (3C:68) [16:02:18:668]: Package we're running from ==> C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: looking for appcompat database entry with ProductCode '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'.
MSI (c) (3C:68) [16:02:18:668]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (3C:68) [16:02:18:684]: MSCOREE not loaded loading copy from system32
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: looking for appcompat database entry with ProductCode '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'.
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (3C:68) [16:02:18:837]: Transforms are not secure.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2205 2: 3: Control
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\WINDOWS\TEMP\Sophos Network Threat Protection Install Log 20190711 160218.txt'.
MSI (c) (3C:68) [16:02:18:837]: No Command Line.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{FEBAF421-B555-408D-B670-6604E0732280}'.
MSI (c) (3C:68) [16:02:18:837]: Product Code passed to Engine.Initialize: '(none)'
MSI (c) (3C:68) [16:02:18:837]: Product Code from property table before transforms: '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'
MSI (c) (3C:68) [16:02:18:837]: Product Code from property table after transforms: '{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}'
MSI (c) (3C:68) [16:02:18:837]: Product not registered: beginning first-time install
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (3C:68) [16:02:18:837]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (3C:68) [16:02:18:837]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (3C:68) [16:02:18:837]: Adding new sources is allowed.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: Package name extracted from package path: 'Sophos Network Threat Protection.msi'
MSI (c) (3C:68) [16:02:18:837]: Package to be registered: 'Sophos Network Threat Protection.msi'
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: TRANSFORMS property is now:
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '405'.
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Documents
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Local
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Pictures
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (3C:68) [16:02:18:837]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (c) (3C:68) [16:02:18:837]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (3C:68) [16:02:18:837]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'MAXIMA'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi'.
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ntp64\Sophos Network Threat Protection.msi'.
MSI (c) (3C:68) [16:02:18:837]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (3C:68) [16:02:18:837]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (c) (3C:68) [16:02:18:837]: EEUI - Disabling MsiEmbeddedUI in quiet mode
=== Logging started: 2019-07-11 16:02:18 ===
MSI (c) (3C:68) [16:02:18:837]: Machine policy value 'DisableRollback' is 0
MSI (c) (3C:68) [16:02:18:837]: User policy value 'DisableRollback' is 0
MSI (c) (3C:68) [16:02:18:837]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (c) (3C:68) [16:02:18:837]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (c) (3C:68) [16:02:18:837]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (c) (3C:68) [16:02:18:837]: Creating MSIHANDLE (6) of type 790537 for thread 12392
MSI (c) (3C:68) [16:02:18:837]: MsiOpenPackageEx is returning 0
MSI (c) (3C:68) [16:02:18:837]: Closing MSIHANDLE (6) of type 790537 for thread 12392
=== Verbose logging stopped: 2019-07-11 16:02:18 ===

setup::MsiInstaller::install: New version: {604350BF-BE9A-4F79-B0EB-B1C22D889E2D}, version: 1.8.77.0
setup::`anonymous-namespace'::getMsiInformationFromProductCode: ERR: 1612 Failed to open product: {66967E5F-43E8-4402-87A4-04685EE5C2CB}
setup::MsiInstaller::install: Install failed: MsiOpenProductW failed: The installation source for this product is not available. Verify that the source exists and that you can access it.

`anonymous-namespace'::setResult: installation failed
setup::TamperProtectionControl::enable: Registered tamper protection integrity.dat for NTP
setup::TamperProtectionControl::enable: Enabled tamper protection for NTP
ProductSetup::~ProductSetup: End product setup

  • Hello Gedas Liugas1,

    apparently the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66967E5F-43E8-4402-87A4-04685EE5C2CB} exists as does HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F5E769668E342044784A4086E55E2CBC. The latter has a subkey InstallProperties, that in turn contains a value LocalPackage.that points to the cached ,msi (e.g. C:\Windows\Installer\abcd1234.msi) from the previous version. It seems that this file does not exist. Is this so?

    Christian

  • In reply to QC:

    Correct, how can I solve this on 1000 computers? :)

  • In reply to QC:

    Should I remove both or one on the registry values?

  • In reply to Liuga:

    Hello Gedas Liugas1,

    sorry, was commuting meanwhile.

    I don't recommend removing any of the keys. The underlying problem is that the cached package required for uninstall has for whatever reason disappeared. NTP should continue to work normally, you "just" get the update failures - admittedly annoying but requires no immediate action. if you don't need 10.8.4 you might consider downgrading to Previous Recommended.

    For a handful of endpoints you normally copy the missing .msi ... you need the .msi for the previous version. Depens on what tools you have available. In theory you could put it in \Windows\Installer with a name that doesn't collide (more than 8 characters/digits will do) and modify the LocalPackage value to point to this file.
    I'll think of something - Support might or might not have a better solution though.

    Christian

  • In reply to QC:

    How downgrading to Previous Recommended will affect computers (both failed and successfully upgraded). Does that mean that all successfully upgraded computer will downgrade to previous ntp version without any problems and what is more important failed computers will not fire up alerts and recreates dissapeared .msi?

  • In reply to QC:

    Maybe You know where can I get NTP 1.2.2.50 msi installer? And does ntp 1.2.2.50 LocalPackage name for all computers should be the same, or every single computer has its own, unique LocalPackage name for ntp 1.2.2.50?

  • In reply to Liuga:

    Hello Gedas Liugas1,

    downgrade should have to bad side-effects, failed endpoints should notice that there's "no change" for NTP and thus clear the error. They won't re-cache the package though.

    You can obtain the previous package by adding a subscription to Previous Recommended. Then just grab it from the new CID. Cached package name can be the same for all endpoints, so it's possible to copy it with the same name to all endpoints and set LocalPackage to the same value for all. Disclaimer: I haven't tested this scenario, should be fairly simple to verify it on one endpoint.

    Good luck
    Christian